CVE-2010-4258 — Vulnetix

Try Vulnetix Request Demo

CVE-2010-4258 PUBLISHED CVSS 6.900000095367432 MEDIUM

The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.

EPSS 5.86% · 90.5th percentile

Risk Scores

CVSS v4.0

6.900000095367432

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS Score

5.86%

90.5th percentile

Affected Products

Vendor	Product	Versions
suse	linux_enterprise_real_time_extension	11
fedoraproject	fedora	13
suse	linux_enterprise_server	11, 10, 9
suse	linux_enterprise_software_development_kit	10
n/a	n/a	n/a
opensuse	opensuse	11.3, 11.2
linux	linux_kernel	0
suse	linux_enterprise_desktop	11, 10

Timeline

Dec 7, 2010 PoC Published
Dec 8, 2010 PoC Published
Dec 30, 2010 CVE Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Sep 10, 2022 EPSS Score
Oct 23, 2022 EPSS Score
Dec 14, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score

References

[oss-security] 20101202 CVE request: kernel: failure to revert address limit override in OOPS error path mailing-list
43056 third-party-advisory
SUSE-SA:2011:004 vendor-advisory
42778 third-party-advisory
[oss-security] 20101202 kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses mailing-list
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 url
42801 third-party-advisory
SUSE-SA:2011:002 vendor-advisory
http://blog.nelhage.com/2010/12/cve-2010-4258-from-dos-to-privesc/ url
[oss-security] 20101209 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses mailing-list
FEDORA-2010-18983 vendor-advisory
SUSE-SA:2011:001 vendor-advisory
42932 third-party-advisory
20101207 Linux kernel exploit mailing-list
ADV-2011-0124 vdb
[linux-kernel] 20101201 [PATCH v2] do_exit(): Make sure we run with get_fs() == USER_DS. mailing-list
SUSE-SA:2011:007 vendor-advisory
ADV-2010-3321 vdb
[oss-security] 20101208 Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses mailing-list
ADV-2011-0298 vdb

…and 21 more

Open in Interactive Console →