multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Multipath-tools | Opensvc | 0.7.7 (including) | 0.9.2 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | device-mapper-multipath-0:0.8.4-37.el8 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | device-mapper-multipath-0:0.8.4-22.el8_6.5 | * |
| Red Hat Enterprise Linux 9 | RedHat | device-mapper-multipath-0:0.8.7-20.el9 | * |
| Multipath-tools | Ubuntu | devel | * |
| Multipath-tools | Ubuntu | focal | * |
| Multipath-tools | Ubuntu | jammy | * |
| Multipath-tools | Ubuntu | kinetic | * |
| Multipath-tools | Ubuntu | trusty | * |
| Multipath-tools | Ubuntu | xenial | * |