Overview
- Description
- Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately. We recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679
- Source
- cve-coordination@google.com
- NVD status
- Modified
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Weaknesses
- nvd@nist.gov
- NVD-CWE-Other
- cve-coordination@google.com
- CWE-416
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DC7F6228-4E87-46E2-8CD8-A8439BC31E81",
"versionEndExcluding": "5.19.11",
"versionStartIncluding": "5.18"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A46498B3-78E1-4623-AAE1-94D29A42BE4E"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F8446E87-F5F6-41CA-8201-BAE0F0CA6DD9"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8E5FB72F-67CE-43CC-83FE-541604D98182"
}
],
"operator": "OR"
}
]
}
]