Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array
From: Kees Cook
Date: Thu Feb 29 2024 - 10:08:14 EST
On February 29, 2024 6:18:36 AM PST, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>As part of the requirement to be a CNA, we have to announce everything
>that we think is a potential vulnerability, severity not be judged at
> [...]
>Again, none of this has anything to do with "severity", it only is an
>identifier that says "this fixes a vulnerability".
The language here can perhaps be improved for better understanding by folks since "CVE" and "vulnerability" can mean different things to different people. I would say "this fixes a weakness".
CVEs are for anything deemed a "weakness"[1]. It doesn't need to rise to the level of what many people would consider a "vulnerability". (Modern attacks traditionally chain many weaknesses together to form an exploit, some of which look harmless when examined in isolation.)
I find it helps to keep in mind the "CIA" acronym of what makes up a security weakness: "negative impact to Confidentiality, Integrity, or Availability". (Not to be confused with the US Gov intelligence org with the name acronym, ironically.)
-Kees
[1] https://nvd.nist.gov/vuln
--
Kees Cook