CVE-2013-2094
HIGH severity · CVSS 8.4 · CWE-189 · actively exploited (CISA KEV)
8.4CVSS HIGH exploited
Actively exploited in the wild (CISA Known Exploited Vulnerabilities).
Added to KEV 2022-09-15. US federal agencies must patch by 2022-10-06.
Summary
The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.
Impact & exploitability
Attack vectorLocal
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)48%
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8176cced706b5e5d15887584150764894e94e02f
- http://lists.centos.org/pipermail/centos-announce/2013-May/019729.htmlAdvisory
- http://lists.centos.org/pipermail/centos-announce/2013-May/019733.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00008.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00018.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00005.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00009.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00017.htmlAdvisory