Vulnerability Note VU#981134
Linux kernel USB drivers do not initialize kernel memory properly
Various Linux USB drivers contain an information disclosure vulnerability that may expose sensitive segments of kernel memory to users.
USB drivers for several versions the Linux kernel do not properly initialize kernel memory before using it. When an affected USB driver copies uninitialized memory from kernel space to user space (with the copy_to_user function), the previous kernel memory contents will be copied as well. In some cases, this will grant a user inappropriate access to sensitive segments of kernel memory.
Users may be able to view sensitive segments of kernel memory.
Check with Vendor
Users who suspect they are vulnerable are encouraged to check with their vendor to determine the appropriate action to take.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Gentoo Linux||Affected||-||30 Aug 2004|
|SuSE Inc.||Affected||22 Oct 2004||25 Oct 2004|
|Ingrian Networks||Not Affected||22 Oct 2004||22 Oct 2004|
|Connectiva||Unknown||-||22 Oct 2004|
|Debian||Unknown||22 Oct 2004||22 Oct 2004|
|Engarde||Unknown||-||22 Oct 2004|
|Hewlett-Packard Company||Unknown||22 Oct 2004||22 Oct 2004|
|IBM-zSeries||Unknown||22 Oct 2004||22 Oct 2004|
|IBM eServer||Unknown||22 Oct 2004||22 Oct 2004|
|Immunix||Unknown||-||22 Oct 2004|
|MandrakeSoft||Unknown||-||22 Oct 2004|
|MontaVista Software||Unknown||22 Oct 2004||22 Oct 2004|
|Novell||Unknown||-||22 Oct 2004|
|Openwall GNU/*/Linux||Unknown||22 Oct 2004||25 Oct 2004|
|Red Hat Inc.||Unknown||22 Oct 2004||22 Oct 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by Tim Yamin.
This document was written by Jeff Gennari.
- CVE IDs: CAN-2004-0685
- Date Public: 25 Aug 2004
- Date First Published: 22 Oct 2004
- Date Last Updated: 25 Oct 2004
- Severity Metric: 0.48
- Document Revision: 151