CVE-2022-3534

Description

A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dwarves-dfsg	25.10 questing	Not in release
	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Fixed 1.21-0ubuntu1~20.04.1
	18.04 LTS bionic	Fixed 1.21-0ubuntu1~18.04.1+esm1
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Ignored end of standard support
libbpf	25.10 questing	Fixed 1.0.1-2ubuntu1
	25.04 plucky	Fixed 1.0.1-2ubuntu1
	24.10 oracular	Fixed 1.0.1-2ubuntu1
	24.04 LTS noble	Fixed 1.0.1-2ubuntu1
	23.10 mantic	Fixed 1.0.1-2ubuntu1
	23.04 lunar	Fixed 1.0.1-2ubuntu1
	22.10 kinetic	Fixed 0.8.0-1ubuntu22.10.1
	22.04 LTS jammy	Fixed 0.5.0-1ubuntu22.04.1
	20.04 LTS focal	Fixed 0.5.0-1~ubuntu20.04.1+esm1
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Ignored end of standard support
	14.04 LTS trusty	Ignored end of standard support

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

mdeslaur

introduced by: https://github.com/libbpf/libbpf/commit/7ac1547f32f060d84b06c74edbb2c6896cc07949

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libbpf	Upstream: 54caf92

Severity score breakdown

Parameter	Value
Base score	5.5 · Medium
Attack vector	Adjacent
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	Low
Availability impact	Low
Vector	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

Related Ubuntu Security Notices (USN)

USN-5759-1
LibBPF vulnerabilities
5 December 2022

USN-5759-2
LibBPF vulnerabilities
8 December 2022

USN-6215-1
dwarves vulnerabilities
11 July 2023

Other references

https://www.cve.org/CVERecord?id=CVE-2022-3534

Cvss 3 Severity Score