CVE Vulnerability

CVE-2022-3176

There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659

7.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://kernel.dance/#fc78b2fc21f10c4c9c4d5d659a685710ffa63659 Patch Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?h=linux-5.4.y&id=fc78b2fc21f10c4c9c4d5d659a685710ffa63659 Mailing List Patch
https://www.debian.org/security/2022/dsa-5257 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20230216-0003/
Configurations

Configuration 1

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Information

Published : 2022-09-16 02:15

Updated : 2023-02-16 02:15

NVD link : CVE-2022-3176

Mitre link : CVE-2022-3176

Products Affected
No products.
CWE
CWE-416