Vulnerabilities > CVE-2022-0175 - Missing Initialization of Resource vulnerability in multiple products

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

local

low complexity

virglrenderer-project

redhat

CWE-909

NVD

Published: 2022-08-26

Updated: 2022-11-08

Summary

A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.

Vulnerable Configurations

Part	Description	Count
Application	Virglrenderer_Project Virglrenderer Project Virglrenderer 0.9.1 Virglrenderer Project Virglrenderer 0.9.0	2
OS	Redhat Redhat Enterprise Linux 8.0	1

Common Weakness Enumeration (CWE)

CWE-909 - Missing Initialization of Resource

References

https://security-tracker.debian.org/tracker/CVE-2022-0175
https://bugzilla.redhat.com/show_bug.cgi?id=2039003
https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654
https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c
https://access.redhat.com/security/cve/CVE-2022-0175
https://security.gentoo.org/glsa/202210-05