{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-48950", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-08-22T01:27:53.625Z", "datePublished": "2024-10-21T20:05:38.440Z", "dateUpdated": "2025-12-23T13:21:16.235Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-23T13:21:16.235Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix perf_pending_task() UaF\n\nPer syzbot it is possible for perf_pending_task() to run after the\nevent is free()'d. There are two related but distinct cases:\n\n - the task_work was already queued before destroying the event;\n - destroying the event itself queues the task_work.\n\nThe first cannot be solved using task_work_cancel() since\nperf_release() itself might be called from a task_work (____fput),\nwhich means the current->task_works list is already empty and\ntask_work_cancel() won't be able to find the perf_pending_task()\nentry.\n\nThe simplest alternative is extending the perf_event lifetime to cover\nthe task_work.\n\nThe second is just silly, queueing a task_work while you know the\nevent is going away makes no sense and is easily avoided by\nre-arranging how the event is marked STATE_DEAD and ensuring it goes\nthrough STATE_OFF on the way down."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "ca7b0a10287e2733bdafb01ef0d4038536625fe3", "lessThan": "8bffa95ac19ff27c8261904f89d36c7fcf215d59", "status": "affected", "versionType": "git"}, {"version": "078c12ccf1fb943cc18c84894c76113dc89e5975", "lessThan": "78e1317a174edbfd1182599bf76c092a2877672c", "status": "affected", "versionType": "git"}, {"version": "ca6c21327c6af02b7eec31ce4b9a740a18c6c13f", "lessThan": "517e6a301f34613bff24a8e35b5455884f2d83d8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "5.15.77", "lessThan": "5.15.84", "status": "affected", "versionType": "semver"}, {"version": "6.0.7", "lessThan": "6.0.14", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.77", "versionEndExcluding": "5.15.84"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.7", "versionEndExcluding": "6.0.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8bffa95ac19ff27c8261904f89d36c7fcf215d59"}, {"url": "https://git.kernel.org/stable/c/78e1317a174edbfd1182599bf76c092a2877672c"}, {"url": "https://git.kernel.org/stable/c/517e6a301f34613bff24a8e35b5455884f2d83d8"}], "title": "perf: Fix perf_pending_task() UaF", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:21:45.788376Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:28:40.788Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:21:45.788376Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:21:48.944Z"}}], "cna": {"title": "perf: Fix perf_pending_task() UaF", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "ca7b0a10287e2733bdafb01ef0d4038536625fe3", "lessThan": "8bffa95ac19ff27c8261904f89d36c7fcf215d59", "versionType": "git"}, {"status": "affected", "version": "078c12ccf1fb943cc18c84894c76113dc89e5975", "lessThan": "78e1317a174edbfd1182599bf76c092a2877672c", "versionType": "git"}, {"status": "affected", "version": "ca6c21327c6af02b7eec31ce4b9a740a18c6c13f", "lessThan": "517e6a301f34613bff24a8e35b5455884f2d83d8", "versionType": "git"}], "programFiles": ["kernel/events/core.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.15.77", "lessThan": "5.15.84", "versionType": "semver"}, {"status": "affected", "version": "6.0.7", "lessThan": "6.0.14", "versionType": "semver"}], "programFiles": ["kernel/events/core.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://git.kernel.org/stable/c/8bffa95ac19ff27c8261904f89d36c7fcf215d59"}, {"url": "https://git.kernel.org/stable/c/78e1317a174edbfd1182599bf76c092a2877672c"}, {"url": "https://git.kernel.org/stable/c/517e6a301f34613bff24a8e35b5455884f2d83d8"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix perf_pending_task() UaF\n\nPer syzbot it is possible for perf_pending_task() to run after the\nevent is free()'d. There are two related but distinct cases:\n\n - the task_work was already queued before destroying the event;\n - destroying the event itself queues the task_work.\n\nThe first cannot be solved using task_work_cancel() since\nperf_release() itself might be called from a task_work (____fput),\nwhich means the current->task_works list is already empty and\ntask_work_cancel() won't be able to find the perf_pending_task()\nentry.\n\nThe simplest alternative is extending the perf_event lifetime to cover\nthe task_work.\n\nThe second is just silly, queueing a task_work while you know the\nevent is going away makes no sense and is easily avoided by\nre-arranging how the event is marked STATE_DEAD and ensuring it goes\nthrough STATE_OFF on the way down."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.84", "versionStartIncluding": "5.15.77"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.0.14", "versionStartIncluding": "6.0.7"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-23T13:21:16.235Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48950", "state": "PUBLISHED", "dateUpdated": "2025-12-23T13:21:16.235Z", "dateReserved": "2024-08-22T01:27:53.625Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-10-21T20:05:38.440Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F012D68-F8BC-4FEE-9203-10B77967371C", "versionEndExcluding": "5.15.84", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8761B6C5-F658-46D1-92B8-4ED28F931D6A", "versionEndExcluding": "6.0.14", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*", "matchCriteriaId": "35B26BE4-43A6-4A36-A7F6-5B3F572D9186", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*", "matchCriteriaId": "3FFFB0B3-930D-408A-91E2-BAE0C2715D80", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*", "matchCriteriaId": "8535320E-A0DB-4277-800E-D0CE5BBA59E8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:*", "matchCriteriaId": "21718AA4-4056-40F2-968E-BDAA465A7872", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix perf_pending_task() UaF\n\nPer syzbot it is possible for perf_pending_task() to run after the\nevent is free()'d. There are two related but distinct cases:\n\n - the task_work was already queued before destroying the event;\n - destroying the event itself queues the task_work.\n\nThe first cannot be solved using task_work_cancel() since\nperf_release() itself might be called from a task_work (____fput),\nwhich means the current->task_works list is already empty and\ntask_work_cancel() won't be able to find the perf_pending_task()\nentry.\n\nThe simplest alternative is extending the perf_event lifetime to cover\nthe task_work.\n\nThe second is just silly, queueing a task_work while you know the\nevent is going away makes no sense and is easily avoided by\nre-arranging how the event is marked STATE_DEAD and ensuring it goes\nthrough STATE_OFF on the way down."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf: Fix perf_pending_task() UaF Por syzbot es posible que perf_pending_task() se ejecute despu\u00e9s de que el evento sea free(). Hay dos casos relacionados pero distintos: - el task_work ya estaba en cola antes de destruir el evento; - destruir el evento en s\u00ed mismo pone en cola el task_work. El primero no se puede resolver usando task_work_cancel() ya que perf_release() en s\u00ed mismo podr\u00eda ser llamado desde un task_work (____fput), lo que significa que la lista current->task_works ya est\u00e1 vac\u00eda y task_work_cancel() no podr\u00e1 encontrar la entrada perf_pending_task(). La alternativa m\u00e1s simple es extender la duraci\u00f3n de perf_event para cubrir el task_work. El segundo es simplemente una tonter\u00eda, poner en cola una tarea_trabajo mientras sabes que el evento va a desaparecer no tiene sentido y se evita f\u00e1cilmente reorganizando c\u00f3mo se marca el evento como STATE_DEAD y asegur\u00e1ndose de que pase por STATE_OFF en el camino hacia abajo."}], "id": "CVE-2022-48950", "lastModified": "2024-10-25T20:02:03.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-21T20:15:06.440", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/517e6a301f34613bff24a8e35b5455884f2d83d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/78e1317a174edbfd1182599bf76c092a2877672c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8bffa95ac19ff27c8261904f89d36c7fcf215d59"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: perf: Fix perf_pending_task() UaF", "id": "2320683", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320683"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nperf: Fix perf_pending_task() UaF\nPer syzbot it is possible for perf_pending_task() to run after the\nevent is free()'d. There are two related but distinct cases:\n- the task_work was already queued before destroying the event;\n- destroying the event itself queues the task_work.\nThe first cannot be solved using task_work_cancel() since\nperf_release() itself might be called from a task_work (____fput),\nwhich means the current->task_works list is already empty and\ntask_work_cancel() won't be able to find the perf_pending_task()\nentry.\nThe simplest alternative is extending the perf_event lifetime to cover\nthe task_work.\nThe second is just silly, queueing a task_work while you know the\nevent is going away makes no sense and is easily avoided by\nre-arranging how the event is marked STATE_DEAD and ensuring it goes\nthrough STATE_OFF on the way down.", "A use-after-free vulnerability was found in the Linux kernel. It is possible for perf_pending_task() to run after the event is free, resulting in a loss of system availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48950", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48950\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48950\nhttps://lore.kernel.org/linux-cve-announce/2024102141-CVE-2022-48950-dc5f@gregkh/T"], "threat_severity": "Moderate"}

{}