CVE-2022-3303: Race Condition
First published: Tue Sep 27 2022(Updated: )
A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | <6.0 | |
| Linux Kernel | =6.0-rc1 | |
| Linux Kernel | =6.0-rc2 | |
| Linux Kernel | =6.0-rc3 | |
| Linux Kernel | =6.0-rc4 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.119-1 6.12.10-1 6.12.11-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d
- https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html
- https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com/
- https://www.debian.org/security/2022/dsa-5257
- https://launchpad.net/bugs/cve/CVE-2022-3303
- https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA%40mail.gmail.com/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303
- https://nvd.nist.gov/vuln/detail/CVE-2022-3303
- https://security-tracker.debian.org/tracker/CVE-2022-3303
- https://ubuntu.com/security/CVE-2022-3303
- https://git.kernel.org/linus/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d
Frequently Asked Questions
What is the severity of CVE-2022-3303?
CVE-2022-3303 has a medium severity rating due to its potential for a system crash resulting from a NULL pointer dereference.
How do I fix CVE-2022-3303?
To fix CVE-2022-3303, update to a patched version of the Linux kernel such as 5.10.223-1, 5.10.226-1, or any later version.
Who is affected by CVE-2022-3303?
CVE-2022-3303 affects privileged local users, specifically those with root access or members of the audio group on vulnerable Linux kernel versions.
What versions of the Linux kernel are affected by CVE-2022-3303?
CVE-2022-3303 affects Linux kernel versions up to 6.0 and specific release candidates such as 6.0-rc1 to 6.0-rc4.
Is CVE-2022-3303 exploitable remotely?
CVE-2022-3303 is not exploitable remotely as it requires local privilege escalation by an authenticated user.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/event
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/tags
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.0-rc1
- version/linux kernel/6.0-rc2
- version/linux kernel/6.0-rc3
- version/linux kernel/6.0-rc4
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/debian