CVE-2013-3237

Description

The vsock_stream_sendmsg function in net/vmw_vsock/af_vsock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

How to fix CVE-2013-3237

To remediate CVE-2013-3237, upgrade the affected package to a fixed version below.

• Debian/open-vm-tools—upgrade to 2:9.2.2-893683-8 or later

Is CVE-2013-3237 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2:9.2.2-893683-8

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-3237