CVE-2022-50240

EPSS 0.02%
Veröffentlicht 15.09.2025 14:01:45
Zuletzt bearbeitet 24.11.2025 17:25:46
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

android: binder: stop saving a pointer to the VMA

Do not record a pointer to a VMA outside of the mmap_lock for later use. 
This is unsafe and there are a number of failure paths *after* the
recorded VMA pointer may be freed during setup.  There is no callback to
the driver to clear the saved pointer from generic mm code.  Furthermore,
the VMA pointer may become stale if any number of VMA operations end up
freeing the VMA so saving it was fragile to being with.

Instead, change the binder_alloc struct to record the start address of the
VMA and use vma_lookup() to get the vma when needed.  Add lockdep
mmap_lock checks on updates to the vma pointer to ensure the lock is held
and depend on that lock for synchronization of readers and writers - which
was already the case anyways, so the smp_wmb()/smp_rmb() was not
necessary.

[akpm@linux-foundation.org: fix drivers/android/binder_alloc_selftest.c]

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.20 < 5.4.224

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.154

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.61

Linux ≫ Linux Kernel Version >= 5.16 < 5.18.18

Linux ≫ Linux Kernel Version >= 5.19 < 5.19.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.035

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/622ef885a89ad04cfb76ee478fb44f051125d1f1

Patch

https://git.kernel.org/stable/c/925e6b6f82c9c80ab3c17acbde8d16f349da7d26

Patch

https://git.kernel.org/stable/c/1ec3f76a436d750fd5023caec5da0494fc2870d2

Patch

https://git.kernel.org/stable/c/a43cfc87caaf46710c8027a8c23b8a55f1078f19

Patch

https://git.kernel.org/stable/c/015ac18be7de25d17d6e5f1643cb3b60bfbe859e

Patch

https://git.kernel.org/stable/c/27a594bc7a7c8238d239e3cdbcf2edfa3bbe9a1b

Patch

https://nvd.nist.gov/vuln/detail/CVE-2022-50240

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-50240

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-50240

EUVD