#VU104430 Use-after-free in Linux kernel - CVE-2022-49388


Vulnerability identifier: #VU104430

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-49388

CWE-ID: CWE-416

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the spin_unlock() function in drivers/mtd/ubi/vmt.c. A local user can escalate privileges on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/1174ab8ba36a48025b68b5ff1085000b1e510217
https://git.kernel.org/stable/c/25ff1e3a1351c0d936dd1ac2f9e58231ea1510c9
https://git.kernel.org/stable/c/5ff2514e4fb55dcf3d88294686040ca73ea0c1a2
https://git.kernel.org/stable/c/6d8d3f68cbecfd31925796f0fb668eb21ab06734
https://git.kernel.org/stable/c/8302620aeb940f386817321d272b12411ae7d39f
https://git.kernel.org/stable/c/8c03a1c21d72210f81cb369cc528e3fde4b45411
https://git.kernel.org/stable/c/abb67043060f2bf4c03d7c3debb9ae980e2b6db3
https://git.kernel.org/stable/c/e27ecf325e51abd06aaefba57a6322a46fa4178b

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for the Linux Kernel
openEuler 20.03 LTS SP4 update for kernel
Use-after-free in Linux kernel mtd ubi driver