CVE-2022-3176

CWE-416Use After Free13 documents7 sources
Severity
7.8HIGH
EPSS
0.0%
top 93.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Linux KernelLinux Linux KernelDebian Debian Linux
Timeline
PublishedSep 16
Latest updateOct 27

Description

There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5linux/kernelunspecifiedfc78b2fc21f10c4c9c4d5d659a685710ffa63659
NVDlinux/linux_kernel5.15.4.212+3
Debianlinux< 5.10.149-1+3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: git.kernel.orgPatch: kernel.dancePatch: git.kernel.org

🔴Vulnerability Details

3
GHSA
GHSA-63jf-69f4-24f6: There exists a use-after-free in io_uring in the Linux kernel2022-09-17
CVEList
Use-after-free in io_uring in Linux Kernel2022-09-16
OSV
CVE-2022-3176: There exists a use-after-free in io_uring in the Linux kernel2022-09-16

📋Vendor Advisories

9
Ubuntu
Linux kernel (Azure CVM) vulnerabilities2022-10-27
Ubuntu
Linux kernel (Intel IoTG) vulnerabilities2022-10-26
Ubuntu
Linux kernel (IBM) vulnerabilities2022-10-14
Ubuntu
Linux kernel (AWS) vulnerabilities2022-10-14
Ubuntu
Linux kernel vulnerabilities2022-10-13
CVE-2022-3176 (HIGH CVSS 7.8) | There exists a use-after-free in io | cvebase.io