CVE-2022-21504

CWE-416 — Use After Free3 documents3 sources

Severity

5.5MEDIUM

EPSS

0.1%

top 75.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Corporation Oracle Linux Oracle Linux

Timeline

PublishedJun 14

Latest updateJun 15

Description

The code in UEK6 U3 was missing an appropiate file descriptor count to be missing. This resulted in a use count error that allowed a file descriptor to a socket to be closed and freed while it was still in use by another portion of the kernel. An attack with local access can operate on the socket, and cause a denial of service. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDoracle/linux7, 8+1

▶CVEListV5oracle_corporation/oracle_linuxOracle Linux: 7, Oracle Linux: 8+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-j35v-hq2g-vwqc: The code in UEK6 U3 was missing an appropiate file descriptor count to be missing↗2022-06-15

▶

CVEList

CVE-2022-21504: The code in UEK6 U3 was missing an appropiate file descriptor count to be missing↗2022-06-14

▶