Linux Kernel X.509 Out-of-Bounds Access Vulnerability in Certificate Extension Parsing

A vulnerability has been identified in the Linux kernel's handling of X.509 certificates, specifically when parsing extensions related to Basic Constraints and Key Usage. The issue arises because the parser reads the first byte of these extensions before verifying their length, leading to an out-of-bounds access. This vulnerability can be exploited by an unprivileged user who submits a specially crafted certificate to the kernel via the keyrings API. The problem has been demonstrated with a proof-of-concept program that was responsibly disclosed.

Impact

Exploitation of this vulnerability can lead to out-of-bounds memory access, which may cause undefined behavior such as memory corruption or application crashes.

Reproduction

To reproduce this vulnerability, create a certificate that includes empty Basic Constraints or Key Usage extensions. Once the certificate is crafted, submit it to the Linux kernel through the keyrings API. The kernel will parse the certificate, triggering the out-of-bounds access issue.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree.