Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2022-33967

Published: 20 July 2022

squashfs filesystem implementation of U-Boot versions from v2020.10-rc2 to v2022.07-rc5 contains a heap-based buffer overflow vulnerability due to a defect in the metadata reading process. Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or arbitrary code execution.

Priority

Medium

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package Release Status
u-boot
Launchpad, Ubuntu, Debian
kinetic Not vulnerable
(2022.07+dfsg-1ubuntu4)
lunar Not vulnerable
(2022.07+dfsg-1ubuntu4)
bionic
Released (2020.10+dfsg-1ubuntu0~18.04.3)
focal
Released (2021.01+dfsg-3ubuntu0~20.04.5)
jammy
Released (2022.01+dfsg-2ubuntu2.3)
trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

impish Ignored
(end of life)
mantic Not vulnerable
(2022.07+dfsg-1ubuntu4)
Patches:
upstream: https://source.denx.de/u-boot/u-boot/-/commit/7f7fb9937c6cb49dd35153bd6708872b390b0a44

Severity score breakdown

Parameter Value
Base score 7.8
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H