Nothing is quite as vexing as a security hole in a security program. Xiaochen Zou, a graduate student at the University of California, Riverside, went looking for bugs in Linux and found a whopper. This vulnerability, CVE-2022-2766, in IPSec‘s esp6 (Encapsulating Security Payload) crypto module can be abused for local privilege escalation.
The problem is your basic heap overflow hole. Xiaochen explained that “the basic logic of this vulnerability is that the receiving buffer of a user message in esp6 module is an 8-page buffer, but the sender can send a message larger than 8 pages, which clearly creates a buffer overflow.” Yes, yes it will.
As buffer overflows always are, this is bad news. As Red Hat puts it in its security advisory on the bug, “This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.”
This is bad enough that both Red Hat and the National Institute of Standards and Technologies (NIST) give the hole a high Common Vulnerability Scoring System (CVSS) score of 7.8. Or, as I like to call vulnerabilities with such high scores, it’s a “Fix it now!” bug.