CVE-2022-31622 — Improper Locking in Mariadb

CWE-667 — Improper Locking CWE-404 — Improper Resource Shutdown or Release8 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 90.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mariadb

Timeline

PublishedMay 25

Latest updateMay 26

Description

MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (pthread_create returns a nonzero value) while executing the method create_worker_threads, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock. Note: The vendor argues this is just an improper locking bug and not a vulnerability with adverse effects.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDmariadb/mariadb10.3.0 — 10.3.33+5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-p293-2w9f-jrwc: MariaDB Server before 10↗2022-05-26

▶

OSV

CVE-2022-31622: MariaDB Server before 10↗2022-05-25

▶

CVEList

CVE-2022-31622: MariaDB Server before 10↗2022-05-25

▶

OSV

CVE-2022-31622: ** DISPUTED ** MariaDB Server before 10↗2022-05-25

▶

📋Vendor Advisories

Microsoft

MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc when an error occurs (pthread_create returns a nonzero value) while executing the method create_worke↗2022-05-10

▶

Debian

CVE-2022-31622: mariadb-10.5 - MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabac...↗2022

▶

Red Hat

mariadb: improper locking due to the unreleased lock in extra/mariabackup/ds_compress.cc↗2021-09-07

▶