Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2022-48988

Disclosure Date: October 21, 2024 •

CVE-2022-48988 CVSS v3 Base Score: 7.0

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

memcg: fix possible use-after-free in memcg_write_event_control()

memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call. As a cgroup interface file can’t be
renamed, it’s safe to access d_name as long as the specified file is a
regular cgroup file. Also, as these cgroup interface files can’t be
removed before the directory, it’s safe to access the parent too.

Prior to 347c4a874710 (“memcg: remove cgroup_event->cft”), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses. The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through. With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free’s.

Fix the bug by resurrecting the file type check in __file_cft(). Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection. Instead, let’s check the superblock
and dentry type.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.0 High

Impact Score:

5.9

Exploitability Score:

Vector:

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

High

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

linux

Products

linux kernel,
linux kernel 6.1

References

Canonical

CVE-2022-48988 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48988)

Miscellaneous

https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125

https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8

https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917

https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad

https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13

https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc

https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088

Rapid7

Unknown

CVE-2022-48988

Unknown

Unknown

None

Low

Local

CVE-2022-48988

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2022-48988

Unknown

Unknown

None

Low

Local

CVE-2022-48988

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification