SB20250226606 - Use of uninitialized resource in Linux kernel nfs

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of uninitialized resource (CVE-ID: CVE-2022-49418)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the nfs4_xdr_dec_fs_locations() function in fs/nfs/nfs4xdr.c, within the nfs4_try_migration() function in fs/nfs/nfs4state.c, within the nfs4_get_referral(), _nfs4_proc_fs_locations(), _nfs40_proc_get_locations() and _nfs41_proc_get_locations() functions in fs/nfs/nfs4proc.c, within the nfs_do_refmount() function in fs/nfs/nfs4namespace.c. A local user can perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/6015292653d95ba9f72906e2b65e536aa5807d64
• https://git.kernel.org/stable/c/c3ed222745d9ad7b69299b349a64ba533c64a34f
• https://git.kernel.org/stable/c/eb1fe9600b86c24a789046bfc5c6851dda119280
• https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.77