New CVE entries this week

Masami Ichikawa

Hi !

It's this week's CVE report.

This week reported 2 new CVEs and 2 updated CVE.

* New CVEs

CVE-2020-36516: Off-Path TCP Exploits of the Mixed IPID Assignment

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16.11. The mixed
IPID assignment method with the hash-based IPID assignment policy
allows an off-path attacker to inject data into a victim's TCP session
or terminate that session.

According to the commit 23f5740 ("ipv4: avoid using shared IP
generator for connected sockets ") this bug was introduced by commit
73f156a ("inetpeer: get rid of ip_id_count") which was merged at

The 4.4 kernel was fixed in its maintenance phase.

Fixed status

mainline: [23f57406b82de51809d5812afd96f210f8b627f3]
stable/4.14: [853f58791145b6d7e6d2b6ff2a982119e920e21a]
stable/4.19: [eb04c6d1ec67e30f3aa5ef82112cbfdbddfd4f65]
stable/4.4: [e1b3fa7b6471e1b2f4c7573711e7f8ee2e9f3dc3]
stable/4.9: [2b77927a8cb7f540ca2bccff4017745104fe371b]
stable/5.10: [b26fed25e67bc09f28f998569ed14022e07b174b]
stable/5.15: [dee686cbfdd13ca022f20be344a14f595a93f303]
stable/5.16: [32ac95e4478f7aeb1d9f9539430361737eec8459]
stable/5.4: [1f748455a8f0e984dc91fc09e6dfe99f0e58cfbe]

CVE-2022-0812: NFS over RDMA random memory leakage

CVSS v3 score is not provided

According to the red hat bugzilla, it described that "An information
leak flaw was found in NFS over RDMA in the
net/sunrpc/xprtrdma/rpc_rdma.c function in RPCRDMA_HDRLEN_MIN (7) (in
rpcrdma_max_call_header_size, rpcrdma_max_reply_header_size). This
flaw allows an attacker with normal user privileges to leak kernel

Vulnerable functions rpcrdma_max_call_header_size() and
rpcrdma_max_reply_header_size() were added by commit 302d3de
("xprtrdma: Prevent inline overflow"). These functions are introduced
in 4.7-rc1. The 4.4 kernel's size calculation logic is different from
others so it looks like 4.4 doesn't affect this issue.

Fixed status

Not fixed yet.

* Updated CVEs

CVE-2022-0646: mctp: serial: Cancel pending work from ndo_uninit handler

This bug was introduced by commit 7bd9890 ("mctp: serial: cancel tx
work on ldisc close"). This commit was merged in 5.17-rc1 and has not
been backported to stable kernels. So, stable kernels aren't affected
by this issue.

Fixed status

mainline: [6c342ce2239c182c2428ce5a44cb32330434ae6e]

CVE-2022-25636: netfilter: nf_tables_offload: incorrect flow offload
action array size

This issue was introduced by commit be2861d ("netfilter:
nft_{fwd,dup}_netdev: add offload support") that was merged since

Fixed status

mainline: [b1a5983f56e371046dcf164f90bfaf704d2b89f6]
stable/5.10: [68f19845f580a1d3ac1ef40e95b0250804e046bb]
stable/5.15: [6c5d780469d6c3590729940e2be8a3bd66ea4814]
stable/5.16: [6bff27caef1ee07a8b190f34cf32c99d6cc37a33]
stable/5.4: [49c011a44edd14adb555dbcbaf757f52b1f2f748]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...

Join to automatically receive all group messages.