CVE-2012-4508 : Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information

Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from a deleted file by reading an extent that was not properly marked as uninitialized.

Published 2012-12-21 11:47:37

Updated 2023-02-13 04:34:37

Source Red Hat, Inc.

View at NVD, CVE.org

Threat overview for CVE-2012-4508

Top countries where our scanners detected CVE-2012-4508

Top open port discovered on systems with this issue 49152

IPs affected by CVE-2012-4508 143,639

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2012-4508!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2012-4508

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 8 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-4508

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
1.9	LOW	AV:L/AC:M/Au:N/C:P/I:N/A:N	3.4	2.9	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2012-4508

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-4508

http://www.openwall.com/lists/oss-security/2012/10/25/1

oss-security - CVE-2012-4508 -- kernel: ext4: AIO vs fallocate stale data exposure
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=dee1f973ca341c266229faa5a1a5bb268bed3531
http://rhn.redhat.com/errata/RHSA-2013-1519.html

RHSA-2013:1519 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1645-1

USN-1645-1: Linux kernel (OMAP4) vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.16

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/091110.html

[SECURITY] Fedora 16 Update: kernel-3.6.5-2.fc16

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2012-1540.html

RHSA-2012:1540 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1900-1

USN-1900-1: Linux kernel (EC2) vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-1783.html

RHSA-2013:1783 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-0496.html

RHSA-2013:0496 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=869904

869904 – (CVE-2012-4508) CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure
https://www.suse.com/support/update/announcement/2012/suse-su-20121679-1.html

SUSE-SU-2012:1679-1

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1899-1

USN-1899-1: Linux kernel vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://github.com/torvalds/linux/commit/dee1f973ca341c266229faa5a1a5bb268bed3531

ext4: race-condition protection for ext4_convert_unwritten_extents_endio · torvalds/linux@dee1f97 · GitHub
Patch

Products affected by CVE-2012-4508