Potential security vulnerabilities in some Intel® QuickAssist Technology (QAT) drivers may allow escalation of privilege, information disclosure or denial of service. Intel is releasing software updates to mitigate these potential vulnerabilities.
CVEID: CVE-2022-21804
Description: Out-of-bounds write in software for the Intel® QAT Driver for Windows before version 1.9.0-0008 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 8.4 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
CVEID: CVE-2022-21239
Description: Out-of-bounds read in software for the Intel® QAT Driver for Windows before version 1.9.0-0008 may allow an authenticated user to potentially enable information disclosure via local access.
CVSS Base Score: 5.6 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVEID: CVE-2022-41808
Description: Improper buffer restriction in software for the Intel® QAT Driver for Linux before version 1.7.l.4.12 may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 3.3 Low
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Windows:
The Intel® QAT Driver for Windows before version 1.9.0-0008.
Linux:
The Intel® QAT Driver for Linux before version 1.7.l.4.12.
Windows:
Intel recommends updating Intel® QAT Driver for Windows to version 1.9.0-0008 or later.
Updates are available for download at this location:
<https://www.intel.com/content/www/us/en/download/19732>
Linux:
Intel recommends updating Intel® QAT Driver for Linux to version 1.7.l.4.12 or later.
Updates are available for download at this location:
<https://01.org/sites/default/files/downloads/qat1.7.l.4.12.0-00011.tar.gz>
Intel would like to thank Zimi of Alibaba Orion Security Lab (CVE-2022-21804 and CVE-2022-21229) for reporting these issues.
The following issue (CVE-2022-41808) was found internally by an Intel employee. Intel would like to thank Lukasz Odzioba.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.