Note: MontaVista Corporate offices will be closed on Monday, May 29, 2023. Support response delays may be experienced due to this closure.

MontaVista CVE List and Response

MontaVista continually monitors the security community and customers for threats. We follow the community on CVE scoring (NVD) and set fix priority accordingly for affected products. Please view the following CVEs that have been remediated or are in process by clicking the CVE Year to the left or use the CVE Filters below.

For inquiries regarding Security Vulnerabilities, please see our Vulnerability Response Policy or email our PSIRT team security@mvista.com. Email messages and attachments can be encrypted using PGP and a MontaVista PSIRT PGP key, which is available for download here.

Year
Product
Score
Severity
Status
CVE
CVE Score Severity Package Description Published
CVE-2023-24540
9.8 (i)
CGX 4.0 Under Investigation
CGX 3.1 Under Investigation
CGX 2.4 Under Investigation
CGX 2.0 Under Investigation
CGE 7.0 Under Investigation
CRITICALgo Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. 2023-05-11
CVE-2023-2610
7.8 (i)
Rocky 9.1 Under Investigation
CGX 4.0 Under Investigation
Centos 7.9 Under Investigation
CGX 3.1 Under Investigation
CGX 2.4 Under Investigation
HIGHvim Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. 2023-05-09
CVE-2023-2513
6.7 (i)
Rocky 9.1 Under Investigation
CGX 4.0 Pending Release
Centos 7.9 Under Investigation
CGX 3.1 Pending Release
CGX 2.4 Pending Release
MEDIUMkernel A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. 2023-05-08
CVE-2023-32233
7.8 (i)
Rocky 9.1 Under Investigation
CGX 4.0 Pending Release
Centos 7.9 Under Investigation
CGX 3.1 Under Investigation
CGX 2.4 Pending Release
HIGHkernel In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled. 2023-05-08
CVE-2023-32269
6.7 (i)
CGX 2.4 Pending Release
Rocky 9.1 Under Investigation
CGX 4.0 Pending Release
Centos 7.9 Under Investigation
CGX 3.1 Under Investigation
MEDIUMkernel An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. 2023-05-05
CVE-2023-2235
7.8 (i)
Rocky 9.1 Under Investigation
CGX 4.0 Not Affected
Centos 7.9 Not Affected
CGX 3.1 Not Affected
CGX 2.4 Not Affected
HIGHkernel A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.The perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2. 2023-05-01
CVE-2023-2236
7.8 (i)
CGX 2.4 Not Affected
Rocky 9.1 Not Affected
CGX 4.0 Not Affected
Centos 7.9 Not Affected
CGX 3.1 Not Affected
HIGHkernel A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4. 2023-05-01
CVE-2023-2426
5.5 (i)
Rocky 9.1 Under Investigation
CGX 4.0 Under Investigation
Centos 7.9 Not Affected
CGX 3.1 Under Investigation
CGX 2.4 Under Investigation
MEDIUMvim Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499. 2023-04-29
CVE-2023-31436
7.8 (i)
CGE 7.0 Pending Release
CGE 7.0 Under Investigation
Rocky 9.1 Under Investigation
CGX 4.0 Pending Release
Centos 7.9 Under Investigation
CGX 3.1 Pending Release
CGX 2.4 Pending Release
HIGHkernel qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. 2023-04-27
CVE-2023-0458
4.7 (i)
Rocky 9.1 Under Investigation
CGX 4.0 Pending Release
Centos 7.9 Under Investigation
CGX 3.1 Pending Release
CGX 2.4 Under Investigation
MEDIUMkernel A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 2023-04-26