CVE-2022-3176
published 2022-09-16CVE-2022-3176: There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 5.17.3-1 (bookworm) | linux 5.17.3-1 (bookworm) |
| linux | kernel | >= unspecified < fc78b2fc21f10c4c9c4d5d659a685710ffa63659 | fc78b2fc21f10c4c9c4d5d659a685710ffa63659 |
| linux | linux_kernel | >= 0 < 5.10.149-1 | 5.10.149-1 |
| linux | linux_kernel | >= 0 < 5.17.3-1 | 5.17.3-1 |
| linux | linux_kernel | >= 0 < 5.17.3-1 | 5.17.3-1 |
| linux | linux_kernel | >= 0 < 5.17.3-1 | 5.17.3-1 |
| linux | linux_kernel | >= 0 < 5.4.0-128.144 | 5.4.0-128.144 |
| linux | linux_kernel | >= 0 < 5.15.0-50.56 | 5.15.0-50.56 |
| linux | linux_kernel | >= 5.1 < 5.4.212 | 5.4.212 |
| linux | linux_kernel | >= 5.11 < 5.15.65 | 5.15.65 |
| linux | linux_kernel | >= 5.16 < 5.17 | 5.17 |
| linux | linux_kernel | >= 5.5 < 5.10.141 | 5.10.141 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH