CVE-2022-24958 — Release of Invalid Pointer or Reference in Kernel

CWE-763 — Release of Invalid Pointer or Reference CWE-416 — Use After Free20 documents8 sources

Severity

7.8HIGHNVD

OSV7.0OSV6.5OSV5.6OSV4.4

EPSS

0.0%

top 85.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Debian Linux +4 more

Timeline

PublishedFeb 11

Latest updateJul 13

Description

drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages7 packages

▶NVDlinux/linux_kernel< 5.16.8

▶Debianlinux/linux_kernel< 5.10.106-1+3

▶Ubuntulinux/linux_kernel< 4.15.0-177.186+1

▶debiandebian/linux< linux 5.16.14-1 (bookworm)

▶msrcmsrc/cbl2_kernel_5.15.32.1-2_on_cbl_mariner_2.0

Also affects: Debian Linux 9.0, Fedora 34, 35

Patches

Patch: git.kernel.org ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

linux-aws vulnerabilities↗2022-07-13

▶

OSV

linux-lts-xenial, linux-kvm vulnerabilities↗2022-07-07

▶

OSV

linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.↗2022-06-08

▶

OSV

linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-intel-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi vulnerabilities↗2022-06-08

▶

OSV

CVE-2022-24958: In dev_config of inode↗2022-06-01

▶

📋Vendor Advisories

Ubuntu

Linux kernel (AWS) vulnerabilities↗2022-07-13

▶

Ubuntu

Linux kernel vulnerabilities↗2022-07-07

▶

Ubuntu

Linux kernel vulnerabilities↗2022-06-08

▶

Ubuntu

Linux kernel vulnerabilities↗2022-06-08

▶

Android

CVE-2022-24958: USB↗2022-06-01

▶