CVE-2022-3176

CVSS v3.1 7.8 (High)

EPSS 0.04 % (15^th)

Affected Products 2

Advisories 17

There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659

Weaknesses

CWE-416: Use After Free

CVE Status: PUBLISHED
CNA: Google Inc.
Published Date: 2022-09-16 14:15:09
(2 years ago)
Updated Date: 2023-04-11 18:15:23
(17 months ago)

Affected Products

Debian

Debian Linux

Linux

Linux Kernel

Configuration #1

	CPE23	From	Up To
Linux Kernel from 5.1 version and prior 5.4.212 version	cpe:2.3:o:linux:linux_kernel	>= 5.1	< 5.4.212
Linux Kernel from 5.5 version and prior 5.10.141 version	cpe:2.3:o:linux:linux_kernel	>= 5.5	< 5.10.141
Linux Kernel from 5.11 version and prior 5.15.65 version	cpe:2.3:o:linux:linux_kernel	>= 5.11	< 5.15.65
Linux Kernel from 5.16 version and prior 5.17 version	cpe:2.3:o:linux:linux_kernel	>= 5.16	< 5.17

Configuration #2

		CPE23	From	Up To
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0
	Debian Linux 11.0	cpe:2.3:o:debian:debian_linux:11.0