CVE-2022-4696

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above

Existe una vulnerabilidad de use-after-free en el kernel de Linux a través de io_uring y la operación IORING_OP_SPLICE. Si a IORING_OP_SPLICE le falta el indicador IO_WQ_WORK_FILES, que indica que la operación no utilizará current->nsproxy, por lo que su contador de referencia no aumenta. Esta suposición no siempre es cierta, ya que llamar a io_splice en archivos específicos llamará a la función get_uts, que utilizará current->nsproxy, lo que provocará una disminución no válida de su contador de referencia y luego provocará la vulnerabilidad de use-after-free. Recomendamos actualizar a la versión 5.10.160 o superior

*Credits: Bing-Jhong Billy Jheng of Starlabs

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-12-23 CVE Reserved
2023-01-11 CVE Published
2024-08-03 CVE Updated
2024-08-03 EPSS Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-416: Use After Free
CWE-763: Release of Invalid Pointer or Reference

CAPEC

CAPEC-251: Local Code Inclusion

References (2)

URL	Tag	Source

URL	Date	SRC
https://kernel.dance/#75454b4bbfc7e6a4dd8338556f36ea9107ddf61a	2024-08-03

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=75454b4bbfc7e6a4dd8338556f36ea9107ddf61a	2023-11-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10 < 5.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.12"		-		Affected