CVE-2022-48801

EPSS 0.02%
Veröffentlicht 16.07.2024 12:15:04
Zuletzt bearbeitet 24.09.2025 16:54:07
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
Teams Watchlist Login
Unerledigt Login

In the Linux kernel, the following vulnerability has been resolved:

iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL

If we fail to copy the just created file descriptor to userland, we
try to clean up by putting back 'fd' and freeing 'ib'. The code uses
put_unused_fd() for the former which is wrong, as the file descriptor
was already published by fd_install() which gets called internally by
anon_inode_getfd().

This makes the error handling code leaving a half cleaned up file
descriptor table around and a partially destructed 'file' object,
allowing userland to play use-after-free tricks on us, by abusing
the still usable fd and making the code operate on a dangling
'file->private_data' pointer.

Instead of leaving the kernel in a partially corrupted state, don't
attempt to explicitly clean up and leave this to the process exit
path that'll release any still valid fds, including the one created
by the previous call to anon_inode_getfd(). Simply return -EFAULT to
indicate the error.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 5.13 < 5.15.24

Linux ≫ Linux Kernel Version >= 5.16 < 5.16.10

Linux ≫ Linux Kernel Version5.17 Updaterc1

Linux ≫ Linux Kernel Version5.17 Updaterc2

Linux ≫ Linux Kernel Version5.17 Updaterc3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.036

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/202071d2518537866d291aa7cf26af54e674f4d4

Patch

https://git.kernel.org/stable/c/b7f54894aa7517d2b6c797a499b9f491e9db9083

Patch

https://git.kernel.org/stable/c/c72ea20503610a4a7ba26c769357d31602769c01

Patch

https://nvd.nist.gov/vuln/detail/CVE-2022-48801

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-48801

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-48801

EUVD