Debian GNU/Linux 11 Users Get a Massive Linux Kernel Security Update, Patch Now

Debian Kernel Security Update

The Debian Project published this week a massive Linux kernel security update for its Debian GNU/Linux 11 “Bullseye” operating system series to address 19 security vulnerabilities discovered by various security researchers in the upstream Linux 5.10 LTS kernel, which may lead to privilege escalation, denial of service or information leaks.

Patched in this new Linux kernel security update for Debian GNU/Linux 11, there’s CVE-2021-4197, a security vulnerability reported by Eric Biederman in the cgroup process migration implementation, which could allow a local attacker to escalate privileges, as well as CVE-2022-0168, a NULL pointer dereference flaw found in the CIFS client implementation, which can allow a local attacker with CAP_SYS_ADMIN privileges to crash the system.

Also patched are CVE-2022-1016, a flaw discovered by David Bouman in the netfilter subsystem, which could allow a local attacker to read sensitive information, CVE-2022-1048, a race condition discovered by Hu Jiahui in the sound subsystem, which could allow a local user with access to a PCM sound device to crash the system or escalate privileges, as well as CVE-2022-1195 and CVE-2022-1198, race conditions discovered by Lin Ma and Duoming Zhou in the 6pack and mkiss hamradio drivers, which could lead to a use-after-free and allow a local user to cause a denial of service (memory corruption or crash) or escalate privileges.

The new Debian GNU/Linux 11 kernel security update addresses a bug discovered by Qiuhao Li, Gaoning Pan, and Yongkang Jia in the KVM implementation for x86 processors, CVE-2022-1158, which is said to allow a local user with access to /dev/kvm to cause the MMU emulator to update page table entry flags at the wrong address, which could be used for privilege escalation or denial of service (memory corruption or crash).

Among other notable security fixes included in this update, there are fixes for CVE-2022-28388, CVE-2022-28389, and CVE-2022-28390, three double-free vulnerabilities found in the 8 devices USB2CAN, Microchip CAN BUS Analyzer, and EMS CPC-USB/ARM7 CAN/USB interface drivers, the CVE-2022-1199, CVE-2022-1204, and CVE-2022-1205 race conditions discovered by Duoming Zhou in the AX.25 hamradio protocol, which could allow a local user to cause a denial of service (memory corruption or crash) or escalate privileges, and CVE-2022-28356, a flaw discovered by Beraphin in the ANSI/IEEE 802.2 LLC type 2 driver, which could a local attacker to cause a denial of service.

The CVE-2022-26490 buffer overflow discovered in the STMicroelectronics ST21NFCA core driver was patched as well in this new Linux kernel security update for Debian Bullseye, which could lead to denial of service or privilege escalation, and the CVE-2022-1516 NULL pointer dereference flaw discovered in the X.25 network protocol implementation, which can result in a denial of service. However, the Debian Project notes the fact that these drivers aren’t enabled in Debian’s official kernel configurations.

Also worth mentioning is CVE-2022-29582, a user-after-free vulnerability discovered by Jayden Rivers and David Bouman in the io_uring subsystem, which could allow a local unprivileged user to escalate privileges, as well as CVE-2022-27666, a possible buffer overflow reported by “valis” in the IPsec ESP transformation code that could allow a local user to cause a denial of service or escalate privileges.

Last but not least, the new Debian GNU/Linux 11 “Bullseye” kernel security update addresses CVE-2022-1353, an information leak flaw found with the TCS Robot tool in the PF_KEY subsystem, which could allow a local unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.

All these vulnerabilities are now patched in the Linux 5.10.113-1 kernel update for the Debian GNU/Linux 11 operating system series. Therefore, the Debian Project urges all users to update their installations to the new kernel version as soon as possible and perform a reboot. To update your Debian Bullseye installations, run the sudo apt update && sudo apt full-upgrade command in a terminal emulator.

Image credits: Debian Project (edited by Marius Nestor)

Last updated 5 months ago