There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above
References
Link | Resource |
---|---|
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=75454b4bbfc7e6a4dd8338556f36ea9107ddf61a | Mailing List Patch Vendor Advisory |
https://kernel.dance/#75454b4bbfc7e6a4dd8338556f36ea9107ddf61a | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Google
Published: 2023-01-11T12:33:41.024Z
Updated:
Reserved: 2022-12-23T13:11:04.948Z
Link: CVE-2022-4696
JSON object: View
NVD Information
Status : Modified
Published: 2023-01-11T13:15:09.307
Modified: 2023-11-07T03:58:36.397
Link: CVE-2022-4696
JSON object: View
Redhat Information
No data.