Use-after-free in Linux kernel net bonding driver
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-49667 |
| CWE-ID | CWE-416 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Linux kernel Operating systems & Components / Operating system |
| Vendor | Linux Foundation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Use-after-free
EUVDB-ID: #VU104447
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-49667
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the bond_3ad_unbind_slave() function in drivers/net/bonding/bond_3ad.c. A local user can escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsLinux kernel: All versions
CPE2.3 External linkshttps://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562
https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc
https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6
https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8
https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e
https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6
https://git.kernel.org/stable/c/ef0af7d08d26c5333ff4944a559279464edf6f15
https://git.kernel.org/stable/c/f162f7c348fa2a5555bafdb5cc890b89b221e69c
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
