Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: crypto: cavium - prevent integer overflow loading firmware The "code_length" value comes from the firmware file. If your firmware is untrusted realistically there is probably very little you can do to protect yourself. Still we try to limit the damage as much as possible. Also Smatch marks any data read from the filesystem as untrusted and prints warnings if it not capped correctly. The "ntohl(ucode->code_length) * 2" multiplication can have an integer overflow.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 4.11, < 4.14.296 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/172c8a24fc8312cf6b88d3c88469653fdcb1c127Patch
- https://git.kernel.org/stable/c/2526d6bf27d15054bb0778b2f7bc6625fd934905Patch
- https://git.kernel.org/stable/c/371fa5129af53a79f6dddc90fe5bb0825cbe72a4Patch
- https://git.kernel.org/stable/c/3a720eb89026c5241b8c4abb33370dc6fb565eeePatch
- https://git.kernel.org/stable/c/584561e94260268abe1c83e00d9c205565cb7bc5Patch
- https://git.kernel.org/stable/c/90e483e7f20c32287d2a9da967e122938f52737aPatch
- https://git.kernel.org/stable/c/c4d4c2afd08dfb3cd1c880d1811ede2568e81a6dPatch
- https://git.kernel.org/stable/c/e29fd7a6852376d2cfb95ad5d6d3eeff93f815e9Patch
FAQ
What is CVE-2022-50330?
CVE-2022-50330 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: crypto: cavium - prevent integer overflow loading firmware The "code_length" value comes from the firmware file. If your firmware...
How severe is CVE-2022-50330?
CVE-2022-50330 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-50330?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.