Advisories » MGASA-2022-0478

Updated kernel-linus packages fix security vulnerabilities

Publication date: 17 Dec 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-3169 , CVE-2022-3344 , CVE-2022-3521 , CVE-2022-3643 , CVE-2022-4139 , CVE-2022-4378 , CVE-2022-45869


This kernel-linus update is based on upstream 5.15.82 and fixes atleast the
following security issues:

A flaw was found in the Linux kernel. A denial of service flaw may occur
if there is a consecutive request of the NVME_IOCTL_RESET and the
NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting
in a PCIe link disconnect (CVE-2022-3169).

A flaw was found in the KVM's AMD nested virtualization (SVM). A malicious
L1 guest could purposely fail to intercept the shutdown of a cooperative
nested guest (L2), possibly leading to a page fault and kernel panic in
the host (L0) (CVE-2022-3344).

A vulnerability has been found in Linux Kernel function kcm_tx_work of the
file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race
condition (CVE-2022-3521).

An incorrect TLB flush issue was found in the Linux kernel’s GPU i915 kernel
driver, potentially leading to random memory corruption or data leaks. This
flaw could allow a local user to crash the system or escalate their
privileges on the system (CVE-2022-4139).

A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in
how a user changes certain kernel parameters and variables. This flaw
allows a local user to crash or potentially escalate their privileges on the
system (CVE-2022-4378).

A race condition in the x86 KVM subsystem in the Linux kernel allows guest
OS users to cause a denial of service (host OS crash or host OS memory
corruption) when nested virtualisation and the TDP MMU are enabled

For other upstream fixes in this update, see the referenced changelogs.