CVE-2022-48686

nvme-tcp: fix UAF when detecting digest errors

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: fix UAF when detecting digest errors

We should also bail from the io_work loop when we set rd_enabled to true,
so we don't attempt to read data from the socket when the TCP stream is
already out-of-sync or corrupted.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvme-tcp: corrige UAF al detectar errores de resumen. También debemos salir del bucle io_work cuando configuramos rd_enabled en verdadero, para no intentar leer datos del socket cuando el flujo TCP ya no está sincronizado o está dañado.

A use-after-free vulnerability was found in the Linux kernel in drivers/nvme/host/tcp.c in nvme_tcp_io_work. This issue can occur when a local user continues to read data after the connection finishes. This flaw allows a malicious user to cause a use-after-free problem.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-03 CVE Reserved
2024-05-03 CVE Published
2024-05-24 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/3f2304f8c6d6ed97849057bd16fee99e434ca796	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/19816a0214684f70b49b25075ff8c402fdd611d3	2022-09-15
https://git.kernel.org/stable/c/5914fa32ef1b7766fea933f9eed94ac5c00aa7ff	2022-09-15
https://git.kernel.org/stable/c/13c80a6c112467bab5e44d090767930555fc17a5	2022-09-15
https://git.kernel.org/stable/c/c3eb461aa56e6fa94fb80442ba2586bd223a8886	2022-09-15
https://git.kernel.org/stable/c/160f3549a907a50e51a8518678ba2dcf2541abea	2022-09-06

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-48686	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2278931	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.4.213 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.4.213"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.10.143 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.10.143"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.15.68 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.15.68"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.19.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.19.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.0"		en		Affected