cpe:/a:kernel:linux_kernel:2.6.28-rc1 cpe:/o:linux:linux_kernel:2.6.31-rc2 cpe:/o:linux:linux_kernel:2.6.31-rc3 cpe:/o:linux:linux_kernel:2.6.31-rc4 cpe:/o:linux:linux_kernel:2.6.31-rc5 cpe:/o:linux:linux_kernel:2.6.31-rc6 cpe:/o:linux:linux_kernel:2.6.31-rc7 cpe:/o:linux:linux_kernel:2.6.31-rc8 cpe:/o:linux:linux_kernel:2.6.31-rc9 cpe:/o:linux:linux_kernel:2.6.31-rc10 CVE-2009-3288 2009-09-22T06:30:00.670-04:00 2011-09-14T23:06:30.957-04:00 4.9 LOCAL LOW NONE NONE NONE COMPLETE http://nvd.nist.gov 2009-09-22T16:37:00.000-04:00 SECUNIA 37105 UBUNTU USN-852-1 MLIST [linux-kernel] 20090902 [BUG] 2.6.31-rc8 readcd Oops MLIST [linux-kernel] 20090903 [PATCH] sg: fix oops in the error path in sg_build_indirect() MLIST [oss-security] 20090904 CVE request: kernel: NULL pointer dereference in sg_build_indirect() The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device.