#VU104448 Use-after-free in Linux kernel - CVE-2022-49337


Vulnerability identifier: #VU104448

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-49337

CWE-ID: CWE-416

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the spin_lock() and user_dlm_destroy_lock() functions in fs/ocfs2/dlmfs/userdlm.c. A local user can escalate privileges on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/02480e2e82ae0e5588374bbbcf4fa6e4959fa174
https://git.kernel.org/stable/c/1434cd71ad9f3a6beda3036972983b6c4869207c
https://git.kernel.org/stable/c/2c5e26a626fe46675bceba853e12aaf13c712e10
https://git.kernel.org/stable/c/337e36550788dbe03254f0593a231c1c4873b20d
https://git.kernel.org/stable/c/733a35c00ef363a1c774d7ea486e0735b7c13a15
https://git.kernel.org/stable/c/82bf8e7271fade40184177cb406203addc34c4a0
https://git.kernel.org/stable/c/863e0d81b6683c4cbc588ad831f560c90e494bef
https://git.kernel.org/stable/c/9c96238fac045b289993d7bc5aae7b2d72b25c76
https://git.kernel.org/stable/c/efb54ec548829e1d3605f0434526f86e345b1b28

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 20.03 LTS SP4 update for kernel
SUSE update for the Linux Kernel
Use-after-free in Linux kernel ocfs2 dlmfs