{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-0175", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-02T23:18:41.984Z", "dateReserved": "2022-01-10T00:00:00", "datePublished": "2022-08-26T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-16T00:00:00"}, "descriptions": [{"lang": "en", "value": "A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure."}], "affected": [{"vendor": "n/a", "product": "virglrenderer", "versions": [{"version": "Affects v0.9.0 and later.", "status": "affected"}]}], "references": [{"url": "https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654"}, {"url": "https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039003"}, {"url": "https://security-tracker.debian.org/tracker/CVE-2022-0175"}, {"url": "https://access.redhat.com/security/cve/CVE-2022-0175"}, {"name": "GLSA-202210-05", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-05"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-909 - Missing Initialization of Resource", "cweId": "CWE-909"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:18:41.984Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654", "tags": ["x_transferred"]}, {"url": "https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039003", "tags": ["x_transferred"]}, {"url": "https://security-tracker.debian.org/tracker/CVE-2022-0175", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2022-0175", "tags": ["x_transferred"]}, {"name": "GLSA-202210-05", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-05"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:virglrenderer_project:virglrenderer:0.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F71DD71-4A3D-412A-B4B4-5EDD00424A4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:virglrenderer_project:virglrenderer:0.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "C035636F-B303-420F-8500-9914C9EEC8D4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*", "matchCriteriaId": "3AA08768-75AF-4791-B229-AE938C780959", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en VirGL virtual OpenGL renderer (virglrenderer). El virgl no inicializaba apropiadamente la memoria cuando asignaba un recurso de memoria respaldado por el host. Un hu\u00e9sped malicioso podr\u00eda usar este fallo para hacer un mapa del n\u00facleo del hu\u00e9sped y leer esta memoria no inicializada del anfitri\u00f3n, lo que posiblemente conllevar\u00eda a una divulgaci\u00f3n de informaci\u00f3n."}], "id": "CVE-2022-0175", "lastModified": "2024-11-21T06:38:04.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-26T18:15:08.660", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-0175"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039003"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2022-0175"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-05"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2022-0175"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039003"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2022-0175"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-05"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-909"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-909"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Jun Yao for reporting this issue.", "bugzilla": {"description": "virglrenderer: memory initialization issue in vrend_resource_alloc_buffer() can lead to info leak", "id": "2039003", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039003"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-909", "details": ["A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.", "A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-0175", "package_state": [{"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Affected", "package_name": "virt:8.2/virglrenderer", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}], "public_date": "2021-12-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-0175\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-0175"], "statement": "This flaw does not affect Red Hat Enterprise Linux as `virglrenderer` is not shipped in RHEL. Support for VirGL was enabled as a Technology Preview in Red Hat Enterprise Linux Advanced Virtualization 8.2 and later disabled in Red Hat Enterprise Linux Advanced Virtualization 8.3. For more information on the Technology Preview support scope, please refer to https://access.redhat.com/support/offerings/techpreview.", "threat_severity": "Moderate"}