cbcvebase.
CVE-2022-1043
published 2022-08-29

CVE-2022-1043: A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or…

PriorityP356high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
EXPLOIT
EPSS
3.72%
88.4th percentile
A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 5.14.6-1 (bookworm)linux 5.14.6-1 (bookworm)
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.70-15.10.70-1
linuxlinux_kernel>= 0 < 5.14.6-15.14.6-1
linuxlinux_kernel>= 0 < 5.14.6-15.14.6-1
linuxlinux_kernel>= 0 < 5.14.6-15.14.6-1
linuxlinux_kernel>= 5.10.51 < 5.10.615.10.61
linuxlinux_kernel>= 5.11 < 5.13.135.13.13
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_kernel_5.10.144.1-1_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

pathmodules/exploits/linux/local/cve_2022_1043_io_uring_priv_esc.rb
  • Monitor for SUID binary creation by non-root processes, which is a key step in the exploitation chain — the exploit abuses freed cred objects to create a SUID root binary.
  • Detect processes that detach from their controlling terminal, block all signals, and persist silently — a deliberate evasion technique used by this exploit to avoid triggering a kernel panic on exit.
  • Scope detection to Linux kernels in the range v5.12-rc3 through v5.14-rc7; systems running kernel 5.13.12 (e.g., Ubuntu 22.04.01) are confirmed vulnerable and should be prioritised.
  • Exploitation requires more than 1 CPU; single-vCPU VMs/containers are not exploitable — use this as a risk-scoping filter when triaging affected hosts.
  • Watch for unexpected kernel panics on task termination following privilege escalation activity — the dangling cred pointer causes a kernel panic when the exploiting task exits, which can serve as a post-exploitation forensic indicator.
  • ·Exploitation is only possible on multi-CPU systems; single-CPU hosts are not exploitable.
  • ·All Red Hat Enterprise Linux kernel packages (RHEL 5–9, including RT variants) are confirmed NOT affected; no patching action is required on RHEL.
  • ·Debian fixed the vulnerability in kernel 5.14.6-1 (bookworm/sid/trixie/forky) and 5.10.70-1 (bullseye); systems on those or later versions are not vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.