Canonical released today a new Linux kernel security update for Ubuntu 22.10 (Kinetic Kudu) users to address nine security vulnerabilities.
The new kernel security update for Ubuntu 22.10 patches CVE-2022-2196, a vulnerability where the KVM VMX implementation failed to handle indirect branch prediction isolation between L1 and L2 virtual machines, allowing an attacker in a guest virtual machine to expose sensitive information from the host operating system or other guest virtual machines.
Also patched are CVE-2022-42328 and CVE-2022-42329, two race conditions discovered in the Xen network backend driver that could allow an attacker to cause a denial of service (kernel deadlock), as well as CVE-2023-0266, a use-after-free vulnerability discovered in the ALSA (Advanced Linux Sound Architecture) subsystem that could allow a local attacker to crash the system by causing a denial of service.
Furthermore, the new Ubuntu 22.10 kernel security update addresses CVE-2023-0469, a use-after-free vulnerability discovered in the io_uring subsystem, and CVE-2023-1195, another user-after-free vulnerability found in the CIFS network file system. Both vulnerabilities could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code.
A race condition was patched in this kernel update, namely CVE-2022-4382, discovered by Gerald Lee in the USB Gadget file system implementation, which could lead to a use-after-free vulnerability in some situations and allow a local attacker to crash the system by causing a denial of service or possibly execute arbitrary code.
Last but not least, the new Ubuntu 22.10 kernel security update fixes CVE-2023-0045, a flaw discovered by José Oliveira and Rodrigo Branco in the prctl syscall implementation that made the kernel fail to protect against indirect branch prediction attacks and allowed a local attacker to expose sensitive information, as well as CVE-2023-23559, an integer overflow vulnerability found in the RNDIS USB driver that could allow a local attacker with physical access to cause a denial of service (system crash) or execute arbitrary code by plugging in a malicious USB device.
Canonical urges all Ubuntu 22.10 (Kinetic Kudu) users to update their systems as soon as possible to
linux-image 22.214.171.124.34 kernel for 64-bit systems or
linux-image-raspi 5.19.0-1015.22 for Raspberry Pi systems. After installing the new kernel versions, make sure to reboot your system, as well as to rebuild and reinstall any third-party kernel modules you might have installed.
Last updated 2 months ago