Local Vulnerability in systemd Affects Users with Version 250 and 251
CVE-2022-45873

5.5MEDIUM

Key Information:

Vendor: Systemd Project
Status: Systemd
Vendor: CVE Published:; 23 November 2022

🔔 Create Systemd Project Vulnerability Alert

What is CVE-2022-45873?

Local users may exploit a vulnerability in systemd versions 250 and 251, leading to a deadlock scenario within the systemd-coredump service. This issue arises during the parsing of ELF objects when a binary, designed to recursively call the same function, is crashed. By nesting this binary in deeply nested directories to elongate the backtrace, users can trigger a systemd-coredump deadlock, particularly under conditions set by the MaxConnections parameter. This vulnerability necessitates multiple sequential activations to fully exploit the situation, potentially impacting system reliability.

References

https://github.com/systemd/systemd/commit/076b807be472630...

https://github.com/systemd/systemd/pull/25055#issuecommen...

https://github.com/systemd/systemd/pull/24853#issuecommen...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 23, 2022
Vulnerability Reserved
Nov 23, 2022

CVE-2022-45873 Data

JSON