{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48771", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-20T11:09:39.061Z", "datePublished": "2024-06-20T11:13:45.896Z", "dateUpdated": "2024-11-04T12:16:10.934Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:16:10.934Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"], "versions": [{"version": "c906965dee22", "lessThan": "e8d092a62449", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "0008a0c78fc3", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "84b1259fe36a", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "ae2b20f27732", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "6066977961fc", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "1d833b27fb70", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "a0f90c881570", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"], "versions": [{"version": "4.14", "status": "affected"}, {"version": "0", "lessThan": "4.14", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.264", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.227", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.175", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.95", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.18", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.4", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516"}, {"url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d"}, {"url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82"}, {"url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414"}, {"url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c"}, {"url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565"}, {"url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c"}], "title": "drm/vmwgfx: Fix stale file descriptors on failed usercopy", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:00.306Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:09:57.107831Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:46.747Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48771", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-20T11:09:39.061Z", "datePublished": "2024-06-20T11:13:45.896Z", "dateUpdated": "2024-08-03T15:25:00.306Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-06-20T11:15:07.689Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"], "versions": [{"version": "c906965dee22", "lessThan": "e8d092a62449", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "0008a0c78fc3", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "84b1259fe36a", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "ae2b20f27732", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "6066977961fc", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "1d833b27fb70", "status": "affected", "versionType": "git"}, {"version": "c906965dee22", "lessThan": "a0f90c881570", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"], "versions": [{"version": "4.14", "status": "affected"}, {"version": "0", "lessThan": "4.14", "status": "unaffected", "versionType": "custom"}, {"version": "4.14.264", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "custom"}, {"version": "4.19.227", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.4.175", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.95", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.18", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.16.4", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516"}, {"url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d"}, {"url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82"}, {"url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414"}, {"url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c"}, {"url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565"}, {"url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c"}], "title": "drm/vmwgfx: Fix stale file descriptors on failed usercopy", "x_generator": {"engine": "bippy-7d53e8ef8be4"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:09:57.107831Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-09-11T12:42:25.860Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vmwgfx: corrige descriptores de archivos obsoletos en una copia de usuario fallida. Una copia de usuario fallida del objeto valla_rep generar\u00e1 una entrada obsoleta en la tabla de descriptores de archivos, ya que put_unused_fd() no lo liberar\u00e1. Esto permite al usuario hacer referencia a un objeto 'archivo' pendiente a trav\u00e9s de ese descriptor de archivo a\u00fan v\u00e1lido, lo que lleva a todo tipo de escenarios de explotaci\u00f3n de use-after-free. Solucione este problema posponiendo la llamada a fd_install() hasta que la copia del usuario se haya realizado correctamente."}], "id": "CVE-2022-48771", "lastModified": "2024-06-20T12:43:25.663", "metrics": {}, "published": "2024-06-20T12:15:15.043", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2022:1988", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-372.9.1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}], "bugzilla": {"description": "kernel: drm/vmwgfx: Fix stale file descriptors on failed usercopy", "id": "2293337", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293337"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48771", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48771\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48771\nhttps://lore.kernel.org/linux-cve-announce/2024062011-CVE-2022-48771-2c90@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 4.14.264, kernel 4.19.227, kernel 5.4.175, kernel 5.10.95, kernel 5.15.18, kernel 5.16.4, kernel 5.17"}