Moby HyperKit uninitialized memory use vtrnd pci_vtrnd_notify
CVE-2021-32845

7.7HIGH

Key Information:

Vendor
Moby
Status
Hyperkit
Vendor
CVE Published:
17 February 2023

Summary

In HyperKit versions 0.20210107 and earlier, a vulnerability exists related to the qnotify function in pci_vtrnd_notify. The failure to verify the return value of vq_getchain leads to an uninitialized struct iovec iov, which can be exploited by an attacker to read sensitive memory when a failure occurs in vq_getchain. This flaw may result in denial of service by crashing the host and could also potentially cause memory corruption, affecting the stability and security of the system.

Affected Version(s)

hyperkit 0.20210107

References

https://securitylab.github.com/advisories/GHSL-2021-054_0...
https://github.com/moby/hyperkit/pull/313
https://github.com/moby/hyperkit/commit/41272a980197917df...

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-32845 : Moby HyperKit uninitialized memory use vtrnd pci_vtrnd_notify | SecurityVulnerability.io