There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Google
Published: 2022-09-16T13:55:09.907980Z
Updated: 2024-09-16T18:44:51.756Z
Reserved: 2022-09-12T00:00:00
Link: CVE-2022-3176
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2022-09-16T14:15:09.713
Modified: 2023-04-11T18:15:23.143
Link: CVE-2022-3176
Redhat