7.8
CVE-2022-50243
- EPSS 0.15%
- Veröffentlicht 15.09.2025 14:01:52
- Zuletzt bearbeitet 24.11.2025 20:04:28
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
sctp: handle the error returned from sctp_auth_asoc_init_active_key
In the Linux kernel, the following vulnerability has been resolved: sctp: handle the error returned from sctp_auth_asoc_init_active_key When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot: sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline] sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 This patch is to fix it by not replacing the sh_key when it returns errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). For sctp_auth_set_active_key(), old active_key_id will be set back to asoc->active_key_id when the same thing happens.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 4.19.199 < 4.19.262
Linux ≫ Linux Kernel Version >= 5.4.136 < 5.4.220
Linux ≫ Linux Kernel Version >= 5.10.54 < 5.10.150
Linux ≫ Linux Kernel Version >= 5.13.6 < 5.14
Linux ≫ Linux Kernel Version >= 5.14.1 < 5.15.75
Linux ≫ Linux Kernel Version >= 5.16 < 5.19.17
Linux ≫ Linux Kernel Version >= 6.0 < 6.0.3
Linux ≫ Linux Kernel Version5.14 Update-
Linux ≫ Linux Kernel Version5.14 Updaterc3
Linux ≫ Linux Kernel Version5.14 Updaterc4
Linux ≫ Linux Kernel Version5.14 Updaterc5
Linux ≫ Linux Kernel Version5.14 Updaterc6
Linux ≫ Linux Kernel Version5.14 Updaterc7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.046 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/b8fa99a3a11bdd77fef6b4a97f1021eb30b5ba40
https://git.kernel.org/stable/c/382ff44716603a54f5fd238ddec6a2468e217612
https://git.kernel.org/stable/c/f65955340e0044f5c41ac799a01698ac7dee8a4e
https://git.kernel.org/stable/c/19d636b663e0e92951bba5fced929ca7fd25c552
https://git.kernel.org/stable/c/0f90099d18e3abdc01babf686f41f63fe04939c1
https://git.kernel.org/stable/c/3b0fcf5e29c0940e1169ce9c44f73edd98bdf12d
https://git.kernel.org/stable/c/022152aaebe116a25c39818a07e175a8cd3c1e11