CVE-2022-20141

NameCVE-2022-20141
DescriptionIn ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege when opening and closing inet sockets with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112551163References: Upstream kernel
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)buster4.19.235-1fixed
buster (security)4.19.249-2fixed
bullseye5.10.106-1fixed
bullseye (security)5.10.120-1fixed
bookworm, sid5.18.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcestretch4.9.290-1
linuxsourcebuster4.19.208-1
linuxsourcebullseye5.10.70-1
linuxsource(unstable)5.14.6-1

Notes

https://source.android.com/security/bulletin/2022-06-01
https://git.kernel.org/linus/23d2b94043ca8835bd1e67749020e839f396a1c2 (5.15-rc1)

Search for package or bug name: Reporting problems