CVE-2022-48740 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: selinux: fix double free of cond_list on error paths On error path from cond_read_list() and duplicate_policydb_cond_list() the cond_list_destroy() gets called a second time in caller functions, resulting in NULL pointer deref. Fix this by resetting the cond_list_len to 0 in cond_list_destroy(), making subsequent calls a noop. Also consistently reset the cond_list pointer to NULL after freeing. [PM: fix line lengths in the description]

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

References

Link	Providers
https://git.kernel.org/stable/c/186edf7e368c40d06cf727a1ad14698ea67b74ad
https://git.kernel.org/stable/c/70caa32e6d81f45f0702070c0e4dfe945e92fbd7
https://git.kernel.org/stable/c/7ed9cbf7ac0d4ed86b356e1b944304ae9ee450d4
https://git.kernel.org/stable/c/f446089a268c8fc6908488e991d28a9b936293db
https://lore.kernel.org/linux-cve-announce/2024062002-CVE-2022-48740-a623@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-48740
https://www.cve.org/CVERecord?id=CVE-2022-48740

History

Mon, 19 Aug 2024 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-06-20T11:13:25.346Z

Updated: 2024-08-03T15:25:01.573Z

Reserved: 2024-06-20T11:09:39.054Z

Link: CVE-2022-48740

Vulnrichment

Updated: 2024-08-03T15:25:01.573Z

NVD

Status : Analyzed

Published: 2024-06-20T12:15:12.330

Modified: 2024-08-19T17:03:31.843

Link: CVE-2022-48740

Redhat

Severity : Moderate

Publid Date: 2024-06-20T00:00:00Z

Links: CVE-2022-48740 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48740", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-20T11:09:39.054Z", "datePublished": "2024-06-20T11:13:25.346Z", "dateUpdated": "2024-08-03T15:25:01.573Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-06-20T11:14:31.085Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix double free of cond_list on error paths\n\nOn error path from cond_read_list() and duplicate_policydb_cond_list()\nthe cond_list_destroy() gets called a second time in caller functions,\nresulting in NULL pointer deref. Fix this by resetting the\ncond_list_len to 0 in cond_list_destroy(), making subsequent calls a\nnoop.\n\nAlso consistently reset the cond_list pointer to NULL after freeing.\n\n[PM: fix line lengths in the description]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/selinux/ss/conditional.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "f446089a268c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "70caa32e6d81", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "7ed9cbf7ac0d", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "186edf7e368c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["security/selinux/ss/conditional.c"], "versions": [{"version": "5.10.99", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.22", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.16.8", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/f446089a268c8fc6908488e991d28a9b936293db"}, {"url": "https://git.kernel.org/stable/c/70caa32e6d81f45f0702070c0e4dfe945e92fbd7"}, {"url": "https://git.kernel.org/stable/c/7ed9cbf7ac0d4ed86b356e1b944304ae9ee450d4"}, {"url": "https://git.kernel.org/stable/c/186edf7e368c40d06cf727a1ad14698ea67b74ad"}], "title": "selinux: fix double free of cond_list on error paths", "x_generator": {"engine": "bippy-7d53e8ef8be4"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-20T16:02:52.249178Z", "id": "CVE-2022-48740", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-27T18:17:10.641Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.573Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f446089a268c8fc6908488e991d28a9b936293db", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/70caa32e6d81f45f0702070c0e4dfe945e92fbd7", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7ed9cbf7ac0d4ed86b356e1b944304ae9ee450d4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/186edf7e368c40d06cf727a1ad14698ea67b74ad", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f446089a268c8fc6908488e991d28a9b936293db", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/70caa32e6d81f45f0702070c0e4dfe945e92fbd7", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7ed9cbf7ac0d4ed86b356e1b944304ae9ee450d4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/186edf7e368c40d06cf727a1ad14698ea67b74ad", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.573Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48740", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-20T16:02:52.249178Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-27T18:17:07.477Z"}}], "cna": {"title": "selinux: fix double free of cond_list on error paths", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "f446089a268c", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "70caa32e6d81", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "7ed9cbf7ac0d", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "186edf7e368c", "versionType": "git"}], "programFiles": ["security/selinux/ss/conditional.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.10.99", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.22", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16.8", "versionType": "custom", "lessThanOrEqual": "5.16.*"}, {"status": "unaffected", "version": "5.17", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["security/selinux/ss/conditional.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/f446089a268c8fc6908488e991d28a9b936293db"}, {"url": "https://git.kernel.org/stable/c/70caa32e6d81f45f0702070c0e4dfe945e92fbd7"}, {"url": "https://git.kernel.org/stable/c/7ed9cbf7ac0d4ed86b356e1b944304ae9ee450d4"}, {"url": "https://git.kernel.org/stable/c/186edf7e368c40d06cf727a1ad14698ea67b74ad"}], "x_generator": {"engine": "bippy-7d53e8ef8be4"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix double free of cond_list on error paths\n\nOn error path from cond_read_list() and duplicate_policydb_cond_list()\nthe cond_list_destroy() gets called a second time in caller functions,\nresulting in NULL pointer deref. Fix this by resetting the\ncond_list_len to 0 in cond_list_destroy(), making subsequent calls a\nnoop.\n\nAlso consistently reset the cond_list pointer to NULL after freeing.\n\n[PM: fix line lengths in the description]"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-06-20T11:14:31.085Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48740", "state": "PUBLISHED", "dateUpdated": "2024-08-03T15:25:01.573Z", "dateReserved": "2024-06-20T11:09:39.054Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-06-20T11:13:25.346Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E58D7990-F870-451F-A267-BF81F7ABEAEB", "versionEndExcluding": "5.10.99", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "74528AA6-B524-4C3F-B188-1194235FE47D", "versionEndExcluding": "5.15.22", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0623892A-E3E4-44E6-8A5E-39A0B47AF782", "versionEndExcluding": "5.16.8", "versionStartIncluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix double free of cond_list on error paths\n\nOn error path from cond_read_list() and duplicate_policydb_cond_list()\nthe cond_list_destroy() gets called a second time in caller functions,\nresulting in NULL pointer deref. Fix this by resetting the\ncond_list_len to 0 in cond_list_destroy(), making subsequent calls a\nnoop.\n\nAlso consistently reset the cond_list pointer to NULL after freeing.\n\n[PM: fix line lengths in the description]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: selinux: corrige el doble libre de cond_list en rutas de error En la ruta de error de cond_read_list() y duplicado_policydb_cond_list(), se llama a cond_list_destroy() por segunda vez en las funciones de llamada, lo que resulta en un puntero NULL deref. Solucione este problema restableciendo cond_list_len a 0 en cond_list_destroy(), haciendo que las llamadas posteriores sean un error. Tambi\u00e9n restablezca constantemente el puntero cond_list a NULL despu\u00e9s de liberarlo. [PM: corrija la longitud de las l\u00edneas en la descripci\u00f3n]"}], "id": "CVE-2022-48740", "lastModified": "2024-08-19T17:03:31.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-20T12:15:12.330", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/186edf7e368c40d06cf727a1ad14698ea67b74ad"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/70caa32e6d81f45f0702070c0e4dfe945e92fbd7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7ed9cbf7ac0d4ed86b356e1b944304ae9ee450d4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f446089a268c8fc6908488e991d28a9b936293db"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: selinux: fix double free of cond_list on error paths", "id": "2293319", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293319"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-415", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nselinux: fix double free of cond_list on error paths\nOn error path from cond_read_list() and duplicate_policydb_cond_list()\nthe cond_list_destroy() gets called a second time in caller functions,\nresulting in NULL pointer deref. Fix this by resetting the\ncond_list_len to 0 in cond_list_destroy(), making subsequent calls a\nnoop.\nAlso consistently reset the cond_list pointer to NULL after freeing.\n[PM: fix line lengths in the description]"], "name": "CVE-2022-48740", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48740\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48740\nhttps://lore.kernel.org/linux-cve-announce/2024062002-CVE-2022-48740-a623@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.10.99, kernel 5.15.22, kernel 5.16.8, kernel 5.17"}