CVE-2025-0662

CVE-2025-0662: Uninitialized kernel memory disclosure via ktrace(2)

Vendor Freebsd
Product FreeBSD
Weakness CWE-122
Published January 30, 2025
Last update February 7, 2025

CVSS base score

What the vulnerability does

01Description

In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace. It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace.

Key dates

02Disclosure timeline

January 30, 2025 CVE published
February 7, 2025 Record updated