Description
A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
Low
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
Low
Availability (Subsequent System)
None
Affected products
- Google / gVisorRelease 20241028.0 – Release 20241028.0
References
- PATCHhttps://github.com/google/gvisor/commit/f956b5ac17ae1f60a4d21999b59ba18c55f86d56
- PATCHhttps://github.com/google/gvisor/commit/e54bfde79278cafadedbf73c68ee10cb5982f2af
- PATCHhttps://github.com/google/gvisor/commit/83f75082e5b03fafca9201d9d9939028f712b0b2
- MISChttps://www.ndss-symposium.org/wp-content/uploads/2025-122-paper.pdf