CVE-2022-3910 - OpenCVE

Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately. We recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc5::::::

No data.

References

Link	Providers
https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679
https://kernel.dance/#fc7222c3a9f56271fba02aabbfbae999042f1679
https://nvd.nist.gov/vuln/detail/CVE-2022-3910
https://www.cve.org/CVERecord?id=CVE-2022-3910

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2022-11-22T12:12:16.700Z

Updated: 2024-08-03T01:20:58.856Z

Reserved: 2022-11-09T12:57:22.704Z

Link: CVE-2022-3910

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-22T13:15:13.167

Modified: 2023-11-07T03:51:57.160

Link: CVE-2022-3910

Redhat

Severity : Moderate

Publid Date: 2022-09-15T00:00:00Z

Links: CVE-2022-3910 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3910", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "requesterUserId": "ed9b5bb2-2df1-4aa3-9791-5fb260d88e62", "dateReserved": "2022-11-09T12:57:22.704Z", "datePublished": "2022-11-22T12:12:16.700Z", "dateUpdated": "2024-08-03T01:20:58.856Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "kernel", "product": "Linux Kernel", "repo": "https://git.kernel.org", "vendor": "Linux", "versions": [{"lessThanOrEqual": "5.19.10", "status": "affected", "version": "5.18.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Bing-Jhong Billy Jheng of Starlabs"}], "datePublic": "2022-05-16T22:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation.<br>When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately.<br><br>We recommend upgrading past commit <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679\">https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679</a><br>"}], "value": "Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation.\nWhen io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately.\n\nWe recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 \n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2022-11-22T12:26:26.702Z"}, "references": [{"url": "https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679"}, {"url": "https://kernel.dance/#fc7222c3a9f56271fba02aabbfbae999042f1679"}], "source": {"discovery": "EXTERNAL"}, "title": "Use after free in IO_uring in the Linux Kernel", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:20:58.856Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679", "tags": ["x_transferred"]}, {"url": "https://kernel.dance/#fc7222c3a9f56271fba02aabbfbae999042f1679", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC7F6228-4E87-46E2-8CD8-A8439BC31E81", "versionEndExcluding": "5.19.11", "versionStartIncluding": "5.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "A46498B3-78E1-4623-AAE1-94D29A42BE4E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "F8446E87-F5F6-41CA-8201-BAE0F0CA6DD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "8E5FB72F-67CE-43CC-83FE-541604D98182", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation.\nWhen io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately.\n\nWe recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 \n"}, {"lang": "es", "value": "La vulnerabilidad de Use After Free en el kernel de Linux permite la escalada de privilegios. Una actualizaci\u00f3n incorrecta del recuento de referencias en io_uring conduce a un use-after-free y escalada de privilegios locales. Cuando se invoc\u00f3 io_msg_ring con un archivo fijo, llam\u00f3 a io_fput_file(), lo que disminuy\u00f3 incorrectamente su recuento de referencias (lo que llev\u00f3 a Use-After-Free y Escalada de privilegios locales). Los archivos fijos est\u00e1n registrados permanentemente en el anillo y no deben colocarse por separado. Recomendamos actualizar el commit anteriorhttps://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 "}], "id": "CVE-2022-3910", "lastModified": "2023-11-07T03:51:57.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2022-11-22T13:15:13.167", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679"}, {"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://kernel.dance/#fc7222c3a9f56271fba02aabbfbae999042f1679"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: Improper update of reference count in io_uring leads to use-after-free", "id": "2144960", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144960"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-911->CWE-416", "details": ["Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation.\nWhen io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately.\nWe recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679", "A use-after-free flaw was found in the io_uring subsystem of the Linux kernel. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count. This could allow a local user to crash the system or escalate their privileges on the system."], "name": "CVE-2022-3910", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-09-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3910\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3910"], "statement": "Red Hat Enterprise Linux is not affected by this flaw as io_uring (CONFIG_IO_URING) is not enabled in any current shipping kernels.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.0-rc6"}