rust-vmm linux-loader vulnerable to Out-of-bounds Read
Description
CVE-2022-23523: The linux-loader crate can enter an infinite loop when loading a maliciously crafted ELF kernel image that points headers beyond the file end; fixed in 0.8.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-23523: The linux-loader crate can enter an infinite loop when loading a maliciously crafted ELF kernel image that points headers beyond the file end; fixed in 0.8.1.
In versions prior to 0.8.1, the linux-loader crate used offsets and sizes from the ELF headers to determine read positions without verifying that those offsets point within the file [1][2]. This oversight allowed a malformed ELF header to specify segment or note offsets beyond the file boundary, causing the loader to attempt reads past the end of the file.
An attacker who can supply a crafted ELF kernel image (e.g., through a boot stream or untrusted source) could exploit this by setting headers such as the program header offset or note segment offsets to values exceeding the file size [3][4]. The crate's read loop would then continue indefinitely because the underlying read call would return zero bytes without advancing the cursor, leading to an infinite loop.
The vulnerability affects Virtual Machine Monitors (VMMs) that use the linux-loader crate to parse ELF kernel images. The primary impact is a denial of service, as the affected VMM becomes unresponsive due to the infinite loop [1]. There is no evidence of memory corruption or privilege escalation from this issue.
The fix was implemented in commit a44f152 and released in version 0.8.1 [3][4]. The patch replaced the custom read_from function with read_exact, which properly returns an error when insufficient bytes are available, preventing the infinite loop. Administrators should update to linux-loader 0.8.1 or later. If an immediate update is not possible, the issue can be mitigated by ensuring only trusted kernel images are loaded and by verifying that ELF headers do not reference offsets beyond the file end [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
linux-loadercrates.io | < 0.8.1 | 0.8.1 |
Affected products
2- Range: < 0.8.1
Patches
1a44f152da4f3loader: x86_64: elf: Avoid reading beyond file end
1 file changed · +6 −7
src/loader/x86_64/elf/mod.rs+6 −7 modified@@ -217,8 +217,8 @@ impl KernelLoader for Elf { .map_err(|_| Error::SeekElfStart)?; let mut ehdr = elf::Elf64_Ehdr::default(); - ehdr.as_bytes() - .read_from(0, kernel_image, mem::size_of::<elf::Elf64_Ehdr>()) + kernel_image + .read_exact(ehdr.as_mut_slice()) .map_err(|_| Error::ReadElfHeader)?; // Sanity checks. @@ -246,12 +246,11 @@ impl KernelLoader for Elf { .seek(SeekFrom::Start(ehdr.e_phoff)) .map_err(|_| Error::SeekProgramHeader)?; - let phdr_sz = mem::size_of::<elf::Elf64_Phdr>(); let mut phdrs: Vec<elf::Elf64_Phdr> = vec![]; for _ in 0usize..ehdr.e_phnum as usize { let mut phdr = elf::Elf64_Phdr::default(); - phdr.as_bytes() - .read_from(0, kernel_image, phdr_sz) + kernel_image + .read_exact(phdr.as_mut_slice()) .map_err(|_| Error::ReadProgramHeader)?; phdrs.push(phdr); } @@ -335,8 +334,8 @@ where let nhdr_sz = mem::size_of::<elf::Elf64_Nhdr>(); while read_size < phdr.p_filesz as usize { - nhdr.as_bytes() - .read_from(0, kernel_image, nhdr_sz) + kernel_image + .read_exact(nhdr.as_mut_slice()) .map_err(|_| Error::ReadNoteHeader)?; // Check if the note header's name and type match the ones specified by the PVH ABI.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-52h2-m2cf-9jh6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23523ghsaADVISORY
- github.com/rust-vmm/linux-loader/commit/a44f152da4f38c538ed492b1efa8515be2047db2ghsaWEB
- github.com/rust-vmm/linux-loader/pull/125ghsax_refsource_MISCWEB
- github.com/rust-vmm/linux-loader/security/advisories/GHSA-52h2-m2cf-9jh6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.