FKIE_CVE-2022-23084

Vulnerability from fkie_nvd - Published: 2024-02-15 05:15 - Updated: 2026-06-17 04:29
Severity
7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.
References
secteam@freebsd.orghttps://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.ascVendor Advisory
secteam@freebsd.orghttps://security.netapp.com/advisory/ntap-20240419-0003/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.ascVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240419-0003/Third Party Advisory
Impacted products
Vendor Product Version
freebsd freebsd *
freebsd freebsd 12.3
freebsd freebsd 12.3
freebsd freebsd 12.3
freebsd freebsd 12.3
freebsd freebsd 12.3
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
freebsd freebsd 13.0
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "netmap"
          ],
          "product": "FreeBSD",
          "vendor": "FreeBSD",
          "versions": [
            {
              "lessThan": "p1",
              "status": "affected",
              "version": "13.1-RC1",
              "versionType": "release"
            },
            {
              "lessThan": "p11",
              "status": "affected",
              "version": "13.0-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p5",
              "status": "affected",
              "version": "12.3-RELEASE",
              "versionType": "release"
            }
          ]
        }
      ],
      "source": "secteam@freebsd.org"
    },
    {
      "affectedData": [
        {
          "cpes": [
            "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "product": "freebsd",
          "vendor": "freebsd",
          "versions": [
            {
              "lessThan": "p1",
              "status": "affected",
              "version": "13.1-rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "p11",
              "status": "affected",
              "version": "13.0-release",
              "versionType": "custom"
            },
            {
              "lessThan": "p5",
              "status": "affected",
              "version": "12.3-release",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E4497B7F-A3CF-43BD-B7AA-9D6D83612B98",
              "versionEndExcluding": "12.3",
              "versionStartIncluding": "12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.3:-:*:*:*:*:*:*",
              "matchCriteriaId": "224B7627-CDDE-429A-852F-8A6066B501B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.3:p1:*:*:*:*:*:*",
              "matchCriteriaId": "3B6DCD8A-331E-419F-9253-C4D35C1DF54B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.3:p2:*:*:*:*:*:*",
              "matchCriteriaId": "4578E06C-16C6-435E-9E51-91CB02602355",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.3:p3:*:*:*:*:*:*",
              "matchCriteriaId": "71FA1F6C-7E53-40F8-B9E1-5FD28D5DAADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.3:p4:*:*:*:*:*:*",
              "matchCriteriaId": "0EC87BCE-17F0-479B-84DC-516C24FBD396",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "174265E7-6B73-4546-B4C7-3826C7EB5624",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "7412DBD8-BB1F-48A8-AAE1-BA5C8D7BDDF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "833DFF5B-BC50-424A-ABCF-EC632F421B76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "9F27016E-4117-4094-BB7A-9C56E38024D9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta3-p1:*:*:*:*:*:*",
              "matchCriteriaId": "EC7326E3-908D-47A1-B848-3AA7F34B3DD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "B149BF69-951D-47B4-996C-9E4773DA75B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "04A0E266-714C-4753-A652-A51F25582C78",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p10:*:*:*:*:*:*",
              "matchCriteriaId": "D133E8E0-4E88-451C-9693-5DE5C3092AD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "556111A1-C236-4DF6-9438-F9C874451A58",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "1673F16B-463A-492C-B66F-48917008F7F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "E73B211F-2CA9-47A4-B318-F24CC1C7E589",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "7C13DDEF-FF5F-4723-9C25-4EA66AE2CEDD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "7A942EA9-0DD3-44BC-B582-C680BA34E88F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "689BC10B-0404-4468-B604-9D96337F9BD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "38DDAA43-3E9C-479F-8416-E3B9BE23C31B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "AE490480-1EA1-4684-A643-9749E87A8448",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FC271C93-EB83-4301-B7BA-F3249B71B1EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "04329338-AC28-4A74-BE6B-CE8EC6CC37B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "ADBA841F-5C83-4759-84B7-B59DA1B12EA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "6A8F38B3-A6DA-4178-A2BD-0D4F0267C384",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "9BB028A0-70F6-42DA-9E5A-F7AAF74ED45B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.0:rc5-p1:*:*:*:*:*:*",
              "matchCriteriaId": "00D28E4E-022B-482E-9952-7F7F47C427C2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin.  This time-of-check to time-of-use bug could lead to kernel memory corruption.\n\nOn systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment."
    },
    {
      "lang": "es",
      "value": "El tama\u00f1o total del nmreq proporcionado por el usuario a nmreq_copyin() se calcul\u00f3 primero y luego se confi\u00f3 en \u00e9l durante la copia. Este error de tiempo de verificaci\u00f3n a tiempo de uso podr\u00eda provocar da\u00f1os en la memoria del kernel. En sistemas configurados para incluir netmap en su devfs_ruleset, un proceso privilegiado que se ejecuta en una c\u00e1rcel puede afectar el entorno del host."
    }
  ],
  "id": "CVE-2022-23084",
  "lastModified": "2026-06-17T04:29:28.427",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2022-23084",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2024-02-15T16:46:40.534639Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2024-02-15T05:15:08.833",
  "references": [
    {
      "source": "secteam@freebsd.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc"
    },
    {
      "source": "secteam@freebsd.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240419-0003/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240419-0003/"
    }
  ],
  "sourceIdentifier": "secteam@freebsd.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-367"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-367"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.