CVE-2022-24448

kernel: nfs_atomic_open() returns uninitialized data instead of ENOTDIR

Severity Score

3.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.

Se ha detectado un problema en el archivo fs/nfs/dir.c en el kernel de Linux versiones anteriores a 5.16.5. Si una aplicación establece la bandera O_DIRECTORY, y trata de abrir un archivo regular, la función nfs_atomic_open() lleva a cabo una búsqueda regular. Si es encontrado un archivo regular, debería producirse ENOTDIR, pero el servidor en su lugar devuelve datos no inicializados en el descriptor de archivo

A flaw was found in the Linux kernel. When an application tries to open a directory (using the O_DIRECTORY flag) in a mounted NFS filesystem, a lookup operation is performed. If the NFS server returns a file as a result of the lookup, the NFS filesystem returns an uninitialized file descriptor instead of the expected ENOTDIR value. This flaw leads to the kernel's data leak into the userspace.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-04 CVE Reserved
2022-02-04 CVE Published
2023-05-12 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-755: Improper Handling of Exceptional Conditions
CWE-908: Use of Uninitialized Resource

CAPEC

References (12)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html	Mailing List
https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html	Mailing List
https://lore.kernel.org/all/67d6a536-9027-1928-99b6-af512a36cd1a%40huawei.com/T	X_refsource_misc

URL	Date	SRC

URL	Date	SRC
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.5	2023-11-07
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ac795161c93699d600db16c1a8cc23a65a1eceaf	2023-11-07
https://github.com/torvalds/linux/commit/ab0fc21bc7105b54bafd85bd8b82742f9e68898a	2023-11-07
https://github.com/torvalds/linux/commit/ac795161c93699d600db16c1a8cc23a65a1eceaf	2023-11-07
https://www.spinics.net/lists/stable/msg531976.html	2023-11-07

URL	Date	SRC
https://www.debian.org/security/2022/dsa-5092	2023-11-07
https://www.debian.org/security/2022/dsa-5096	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-24448	2024-02-07
https://bugzilla.redhat.com/show_bug.cgi?id=2051444	2024-02-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.16.5 Search vendor "Linux" for product "Linux Kernel" and version " < 5.16.5"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected