GHSA-34vw-m4rh-r36p: 
vulnerability analysis and mitigation

A race condition vulnerability was discovered in the Linux kernel's IP framework for transforming packets (XFRM subsystem), specifically when multiple calls to xfrmprobealgs occurred simultaneously. The vulnerability was assigned GHSA-34vw-m4rh-r36p and affects Talos versions below 1.2.0. This security issue was published on September 8, 2022, and received a High severity rating with a CVSS score of 7.0 (GitHub Advisory).

The vulnerability exists in the XFRM subsystem of the Linux kernel's IP framework. It manifests as a race condition during simultaneous calls to xfrmprobealgs. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 with the following metrics: Attack Vector: Local, Attack Complexity: High, Privileges Required: Low, User Interaction: None, Scope: Unchanged, and High impact on Confidentiality, Integrity, and Availability. The vulnerability is associated with CWE-362 (race condition) and CWE-787 (GitHub Advisory).

The vulnerability could allow a local attacker to trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. While Kubernetes workloads running in Talos are generally not affected due to disabled user namespaces in the Talos kernel config, untrusted workloads running with privileged: true or having NET_ADMIN capability remain at risk (GitHub Advisory).

The vulnerability has been patched in Talos version 1.2.0 and later, which includes Linux Kernel 5.15.64 containing the fix. For systems that cannot be immediately updated, it is recommended to audit Kubernetes workloads running in the cluster with privileged: true set or having NET_ADMIN capability and assess the threat vector. The fix has been backported to version 5.15.64 of the upstream Linux kernel (GitHub Advisory).