Information disclosure in Linux Linux_kernel

CVE-2014-3917

kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS…

Vulnerability class: Information Disclosure

EPSS: 0.001 (25.4th percentile) — read the EPSS interpretation.

Affected products

Linux Linux_kernel — versions 3.14, 3.14.1, 3.14.2
Redhat Enterprise_linux — versions 5, 6.0
Redhat Enterprise_mrg — versions 2.0
Suse Linux_enterprise_desktop — versions 10.0
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

[linux-kernel] 20140528 [PATCH 1/2] auditsc: audit_krule mask accesses need bounds checking (mailing-list, x_refsource_MLIST)
USN-2335-1 (x_refsource_UBUNTU, vendor-advisory)
USN-2334-1 (x_refsource_UBUNTU, vendor-advisory)
60564 (x_refsource_SECUNIA, third-party-advisory)
59777 (x_refsource_SECUNIA, third-party-advisory)
RHSA-2014:1143 (x_refsource_REDHAT, vendor-advisory)
60011 (x_refsource_SECUNIA, third-party-advisory)
[oss-security] 20140529 Re: CVE request: Linux kernel DoS with syscall auditing (mailing-list, x_refsource_MLIST)
cve@mitre.org (x_refsource_CONFIRM)
RHSA-2014:1281 (x_refsource_REDHAT, vendor-advisory)