CVE-2014-5332

Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox.

CVSS v2.0 6.9 MEDIUM

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escape-chrome.html	Exploit
http://nvidia.custhelp.com/app/answers/detail/a_id/3618	Vendor Advisory
http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escape-chrome.html	Exploit
http://nvidia.custhelp.com/app/answers/detail/a_id/3618	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:3.10:*:*:*:*:*:*:*

History

21 Nov 2024, 02:11

Type	Values Removed	Values Added
References	~~() http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escape-chrome.html - Exploit~~	() http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escape-chrome.html - Exploit
References	~~() http://nvidia.custhelp.com/app/answers/detail/a_id/3618 - Vendor Advisory~~	() http://nvidia.custhelp.com/app/answers/detail/a_id/3618 - Vendor Advisory

Information

Published : 2015-02-06 11:59

Updated : 2024-11-21 02:11

NVD link : CVE-2014-5332

Mitre link : CVE-2014-5332

CVE.ORG link : CVE-2014-5332

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2014-5332", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-02-06T11:59:03.467", "references": [{"url": "http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escape-chrome.html", "tags": ["Exploit"], "source": "vultures@jpcert.or.jp"}, {"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/3618", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escape-chrome.html", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/3618", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox."}, {"lang": "es", "value": "Condici\u00f3n de carrera en NVMap en NVIDIA Tegra Linux Kernel 3.10 permite a usuarios locales obtener privilegios a trav\u00e9s de una llamada IOCTL NVMAP_IOC_CREATE manipulada, lo que desencadena un error de uso despu\u00e9s de liberaci\u00f3n de memoria, seg\u00fan lo demostrado mediante el uso de una condici\u00f3n de carrera para escapar del sandbox de Chrome."}], "lastModified": "2024-11-21T02:11:51.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:3.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C37F47C-C217-4BCF-A758-14E1BDBAD63D"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}