Moby HyperKit uninitialized memory use in virtio-sock pci_vtsock_proc_tx
CVE-2021-32846

7.7HIGH

Key Information:

Vendor: Moby
Status: Hyperkit
Vendor: CVE Published:; 17 February 2023

What is CVE-2021-32846?

In HyperKit versions prior to a patch, a flaw in the virtio-sock functionality can lead to the use of uninitialized memory. Specifically, the function pci_vtsock_proc_tx inadequately checks its return value, allowing a negative return when an unrecoverable error occurs. This oversight may cause the host to crash and enable denial of service attacks, in addition to posing risks for memory corruption during operations that expect only non-negative values. Moby's focus on security led to the resolution of this issue in an update.

Affected Version(s)

hyperkit 0.20210107

References

https://securitylab.github.com/advisories/GHSL-2021-054_0...

https://github.com/moby/hyperkit/pull/313

https://github.com/moby/hyperkit/commit/af5eba2360a7351c0...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2023
Vulnerability Reserved
May 12, 2021