// For flags

CVE-2022-4696

 

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above

Existe una vulnerabilidad de use-after-free en el kernel de Linux a través de io_uring y la operación IORING_OP_SPLICE. Si a IORING_OP_SPLICE le falta el indicador IO_WQ_WORK_FILES, que indica que la operación no utilizará current->nsproxy, por lo que su contador de referencia no aumenta. Esta suposición no siempre es cierta, ya que llamar a io_splice en archivos específicos llamará a la función get_uts, que utilizará current->nsproxy, lo que provocará una disminución no válida de su contador de referencia y luego provocará la vulnerabilidad de use-after-free. Recomendamos actualizar a la versión 5.10.160 o superior

There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above

*Credits: Bing-Jhong Billy Jheng of Starlabs
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2022-12-23 CVE Reserved
  • 2023-01-11 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-08-03 EPSS Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-416: Use After Free
  • CWE-763: Release of Invalid Pointer or Reference
CAPEC
  • CAPEC-251: Local Code Inclusion
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.10 < 5.12
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.12"
-
Affected