Moby HyperKit uninitialized memory use in virtio-sock pci_vtsock_proc_tx
CVE-2021-32846

7.7HIGH

Key Information:

Vendor
Moby
Status
Hyperkit
Vendor
CVE Published:
17 February 2023

Summary

In HyperKit versions prior to a patch, a flaw in the virtio-sock functionality can lead to the use of uninitialized memory. Specifically, the function pci_vtsock_proc_tx inadequately checks its return value, allowing a negative return when an unrecoverable error occurs. This oversight may cause the host to crash and enable denial of service attacks, in addition to posing risks for memory corruption during operations that expect only non-negative values. Moby's focus on security led to the resolution of this issue in an update.

Affected Version(s)

hyperkit 0.20210107

References

https://securitylab.github.com/advisories/GHSL-2021-054_0...
https://github.com/moby/hyperkit/pull/313
https://github.com/moby/hyperkit/commit/af5eba2360a7351c0...

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-32846 : Moby HyperKit uninitialized memory use in virtio-sock pci_vtsock_proc_tx | SecurityVulnerability.io