CVE-2022-36123: Linux kernel arbitrary code execution flaw


A security researcher has discovered that the Linux kernel is affected by a potentially serious vulnerability (CVE-2022-36123) that can be exploited by an attacker to grant arbitrary code execution.
The flaw occurs due to the Linux kernel not clear statically allocated variables in the block starting symbol (.bss) due to a failed early_xen_iret_patch leading to an asm_exc_page_fault, or arbitrary code execution. The issue is an out-of-bounds read to asm page fault. The researcher’s successful exploitation of this bug leads to arbitrary code execution, as tested on Linux kernel mainline v5.18-rc1 through v5.19-rc6.

Read more…