CVE-2022-3176

NameCVE-2022-3176
DescriptionThere exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3173-1, DSA-5257-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)buster4.19.249-2vulnerable
buster (security)4.19.269-1vulnerable
bullseye5.10.158-2fixed
bullseye (security)5.10.162-1fixed
bookworm6.1.7-1fixed
sid6.1.8-1fixed
linux-5.10 (PTS)buster (security)5.10.158-2~deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcebullseye5.10.149-1DSA-5257-1
linuxsource(unstable)5.17.3-1
linux-5.10sourcebuster5.10.149-2~deb10u1DLA-3173-1

Notes

https://kernel.dance/#fc78b2fc21f10c4c9c4d5d659a685710ffa63659

Search for package or bug name: Reporting problems