Skip to content

Linux kernel: race condition in Linux kernel's IP framework XFRM

Moderate
frezbo published GHSA-34vw-m4rh-r36p Sep 8, 2022

Package

No package listed

Affected versions

< 1.2.0

Patched versions

>= 1.2.0

Description

Impact

A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.

Patches

The fix has been backported to 5.15.64 version of the upstream Linux kernel (5.15 is the upstream Kernel long term version Talos ships with). Talos >= v1.2.0 is shipped with Linux Kernel 5.15.64 fixing the above issue.

Kubernetes workloads running in Talos are not affected since user namespaces are disabled in Talos kernel config. So an unprivileged user cannot obtain CAP_NET_ADMIN by unsharing. However untrusted workloads that run with privileged: true or having NET_ADMIN capability poses a risk.

Workarounds

Audit kubernetes workloads running in the cluster with privileged: true set or having NET_ADMIN capability and assess the threat vector.

References

For more information

Severity

Moderate

CVE ID

CVE-2022-3028

Weaknesses

No CWEs