CVE-2022-3176: Use-after-free in io_uring in Linux Kernel

First published: Fri Sep 16 2022(Updated: )

There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659

Credit: cve-coordination@google.com cve-coordination@google.com

Affected Software	Affected Version	How to fix
Linux Linux kernel	>=5.1<5.4.212
Linux Linux kernel	>=5.5<5.10.141
Linux Linux kernel	>=5.11<5.15.65
Linux Linux kernel	>=5.16<5.17
Debian Debian Linux	=10.0
Debian Debian Linux	=11.0
debian/linux		5.10.218-1 5.10.221-1 6.1.94-1 6.1.99-1 6.9.12-1 6.10.3-1
ubuntu/linux	<5.4.0-128.144	5.4.0-128.144
ubuntu/linux	<5.15.0-50.56	5.15.0-50.56
ubuntu/linux	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-aws	<5.4.0-1086.93	5.4.0-1086.93
ubuntu/linux-aws	<5.15.0-1021.25	5.15.0-1021.25
ubuntu/linux-aws	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-aws-5.0	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-aws-5.15	<5.15.0-1021.25~20.04.1	5.15.0-1021.25~20.04.1
ubuntu/linux-aws-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-aws-5.4	<5.4.0-1086.93~18.04.1	5.4.0-1086.93~18.04.1
ubuntu/linux-aws-5.4	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-aws-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-aws-fips	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-aws-hwe	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-azure	<5.4.0-1094.100	5.4.0-1094.100
ubuntu/linux-azure	<5.15.0-1021.26	5.15.0-1021.26
ubuntu/linux-azure	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-azure-4.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-azure-5.15	<5.15.0-1021.26~20.04.1	5.15.0-1021.26~20.04.1
ubuntu/linux-azure-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-azure-5.4	<5.4.0-1094.100~18.04.1	5.4.0-1094.100~18.04.1
ubuntu/linux-azure-5.4	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-azure-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-azure-edge	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-azure-fde	<5.4.0-1094.100	5.4.0-1094.100
ubuntu/linux-azure-fde	<5.15.0-1024.30.1	5.15.0-1024.30.1
ubuntu/linux-azure-fde	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-azure-fde-5.15	<5.15.0-1021.26~20.04.1.1	5.15.0-1021.26~20.04.1.1
ubuntu/linux-azure-fde-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-azure-fips	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-bluefield	<5.4.0-1047.52	5.4.0-1047.52
ubuntu/linux-bluefield	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-dell300x	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-fips	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gcp	<5.4.0-1090.98	5.4.0-1090.98
ubuntu/linux-gcp	<5.15.0-1019.25	5.15.0-1019.25
ubuntu/linux-gcp	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gcp-4.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gcp-5.15	<5.15.0-1021.28~20.04.1	5.15.0-1021.28~20.04.1
ubuntu/linux-gcp-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gcp-5.4	<5.4.0-1092.101~18.04.1	5.4.0-1092.101~18.04.1
ubuntu/linux-gcp-5.4	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gcp-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gcp-fips	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gke	<5.4.0-1084.90	5.4.0-1084.90
ubuntu/linux-gke	<5.15.0-1017.20	5.15.0-1017.20
ubuntu/linux-gke	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gke-4.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gke-5.0	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gke-5.15	<5.15.0-1019.23~20.04.1	5.15.0-1019.23~20.04.1
ubuntu/linux-gke-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gke-5.4	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gkeop	<5.4.0-1054.57	5.4.0-1054.57
ubuntu/linux-gkeop	<5.15.0-1004.6	5.15.0-1004.6
ubuntu/linux-gkeop	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gkeop-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-gkeop-5.4	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-hwe	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-hwe-5.15	<5.15.0-50.56~20.04.1	5.15.0-50.56~20.04.1
ubuntu/linux-hwe-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-hwe-5.4	<5.4.0-128.144~18.04.1	5.4.0-128.144~18.04.1
ubuntu/linux-hwe-5.4	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-hwe-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-hwe-edge	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-ibm	<5.4.0-1034.38	5.4.0-1034.38
ubuntu/linux-ibm	<5.15.0-1015.17	5.15.0-1015.17
ubuntu/linux-ibm	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-ibm-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-ibm-5.4	<5.4.0-1034.38~18.04.1	5.4.0-1034.38~18.04.1
ubuntu/linux-ibm-5.4	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-intel	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-intel-5.13	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-intel-iotg	<5.15.0-1017.22	5.15.0-1017.22
ubuntu/linux-intel-iotg	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-intel-iotg-5.15	<5.15.0-1017.22~20.04.1	5.15.0-1017.22~20.04.1
ubuntu/linux-intel-iotg-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-iot	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-kvm	<5.4.0-1076.81	5.4.0-1076.81
ubuntu/linux-kvm	<5.15.0-1019.23	5.15.0-1019.23
ubuntu/linux-kvm	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-laptop	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-lowlatency	<5.15.0-50.56	5.15.0-50.56
ubuntu/linux-lowlatency	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-lowlatency-hwe-5.15	<5.15.0-50.56~20.04.1	5.15.0-50.56~20.04.1
ubuntu/linux-lowlatency-hwe-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-lowlatency-hwe-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-lts-xenial	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-nvidia	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-nvidia-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-nvidia-6.8	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-nvidia-lowlatency	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oem	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oem-5.10	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oem-5.14	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oem-5.17	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oem-5.6	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oem-6.0	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oem-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oem-6.8	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oem-osp1	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oracle	<5.4.0-1084.92	5.4.0-1084.92
ubuntu/linux-oracle	<5.15.0-1019.24	5.15.0-1019.24
ubuntu/linux-oracle	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oracle-5.0	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oracle-5.13	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oracle-5.15	<5.15.0-1019.24~20.04.1	5.15.0-1019.24~20.04.1
ubuntu/linux-oracle-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oracle-5.4	<5.4.0-1084.92~18.04.1	5.4.0-1084.92~18.04.1
ubuntu/linux-oracle-5.4	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-oracle-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-raspi	<5.4.0-1071.81	5.4.0-1071.81
ubuntu/linux-raspi	<5.15.0-1016.18	5.15.0-1016.18
ubuntu/linux-raspi	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-raspi-5.4	<5.4.0-1071.81~18.04.1	5.4.0-1071.81~18.04.1
ubuntu/linux-raspi-5.4	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-raspi2	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-riscv	<5.15.0-1020.23	5.15.0-1020.23
ubuntu/linux-riscv	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-riscv-5.15	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-riscv-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-snapdragon	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-starfive	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-starfive-6.5	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65
ubuntu/linux-xilinx-zynqmp	<5.17~<5.4.212<5.15.65	5.17~ 5.4.212 5.15.65

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

collector/nvd-index
agent/type
agent/first-publish-date
agent/remedy
collector/launchpad-cve
source/Launchpad
agent/author
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
agent/description
agent/weakness
agent/references
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/severity
agent/event
agent/tags
collector/security-tracker-debian
source/Debian
collector/usn-cve
source/Ubuntu
vendor/linux
canonical/linux linux kernel
version/linux linux kernel/5.1
version/linux linux kernel/5.5
version/linux linux kernel/5.11
version/linux linux kernel/5.16
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0
version/debian debian linux/11.0
package-manager/debian
package-manager/ubuntu

CVE-2022-3176: Use-after-free in io_uring in Linux Kernel

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact