CVE-2022-20141 — Race Condition in Google Android

CWE-362 — Race Condition CWE-416 — Use After Free CWE-667 — Improper Locking CWE-413 — Improper Resource Locking12 documents9 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 93.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Paloalto Pan-os +1 more

Timeline

PublishedJun 15

Latest updateFeb 14

Description

In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege when opening and closing inet sockets with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112551163References: Upstream kernel

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages5 packages

▶Debianlinux/linux_kernel< 5.10.70-1+3

▶Ubuntulinux/linux_kernel< 4.4.0-230.264

▶googlegoogle/android

▶debiandebian/linux< linux 5.14.6-1 (bookworm)

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

OSV

linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities↗2022-07-29

▶

GHSA

GHSA-47jx-5wh9-6796: In ip_check_mc_rcu of igmp↗2022-06-16

▶

OSV

CVE-2022-20141: In ip_check_mc_rcu of igmp↗2022-06-15

▶

OSV

CVE-2022-20141: In ip_check_mc_rcu of igmp↗2022-06-01

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶

Ubuntu

Linux kernel vulnerabilities↗2022-07-29

▶

Android

CVE-2022-20141: Inet sockets↗2022-06-01

▶

Debian

CVE-2022-20141: linux - In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper...↗2022

▶

Red Hat

kernel: igmp: use-after-free in ip_check_mc_rcu when opening and closing inet sockets↗2021-07-16

▶

📐Framework References

CWE

Use After Free↗

▶

CWE

Improper Resource Locking↗

▶