| The Linux kernel has a vulnerability in the ISDN (Integrated Services Digital Network) subsystem, specifically in the cpai (Capi Protocol Implementation) module. The issue arises when adding a cmtp (Connection-oriented Message Transfer Protocol) session to a controller and running a kernel thread to process cmtp. |
| |
| During this process, the kernel thread calls `detach_capi_ctr()` to detach a registered controller. However, if the controller is not attached yet, `detach_capi_ctr()` triggers an array-index-out-of-bounds bug. This occurs because the function does not check the value of `ctr->cnr` before using it as an index into an array. |
| |
| The vulnerability can be exploited by triggering the out-of-bounds access, which can lead to a denial-of-service (DoS) or potentially even arbitrary code execution. |
| |
| The affected file is `drivers/isdn/capi/kcapi.c`. The issue has been fixed in various kernel versions, including 4.4.290, 4.9.288, 4.14.253, 4.19.214, 5.4.156, 5.10.76, 5.14.15, and 5.15. |
| |
| The Linux kernel CVE team recommends updating to the latest stable kernel version to fix this issue, as individual changes are never tested alone but rather as part of a larger kernel release. If updating is not possible, the individual commits that resolve this issue can be found at the provided Git links. |
| |
