CVE-2022-21504

EPSS 0.08%
Published 14.06.2022 18:15:08
Last modified 21.11.2024 06:44:50
Source secalert_us@oracle.com
Teams watchlist Login
Open Login

The code in UEK6 U3 was missing an appropiate file descriptor count to be missing. This resulted in a use count error that allowed a file descriptor to a socket to be closed and freed while it was still in use by another portion of the kernel. An attack with local access can operate on the socket, and cause a denial of service. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Oracle ≫ Linux Version7 Update-

Oracle ≫ Linux Version8 Update-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.08%	0.255

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:N/I:N/A:P
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
secalert_us@oracle.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://github.com/oracle/linux-uek/commit/49c68f5f892d8c2be00e0a89ff2a035422c03b59

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-21504

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-21504

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-21504

EUVD