{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-3176","assignerOrgId":"14ed7db2-1595-443d-9d34-6215bf890778","assignerShortName":"Google","dateUpdated":"2025-04-21T13:49:18.998Z","dateReserved":"2022-09-12T00:00:00.000Z","datePublished":"2022-09-16T13:55:09.907Z"},"containers":{"cna":{"title":"Use-after-free in io_uring in Linux Kernel","datePublic":"2022-08-31T00:00:00.000Z","providerMetadata":{"orgId":"14ed7db2-1595-443d-9d34-6215bf890778","shortName":"Google","dateUpdated":"2023-02-16T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659"}],"affected":[{"vendor":"Linux","product":"Kernel","versions":[{"version":"unspecified","lessThan":"fc78b2fc21f10c4c9c4d5d659a685710ffa63659","status":"affected","versionType":"custom"}]}],"references":[{"url":"https://kernel.dance/#fc78b2fc21f10c4c9c4d5d659a685710ffa63659"},{"url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?h=linux-5.4.y&id=fc78b2fc21f10c4c9c4d5d659a685710ffa63659"},{"name":"DSA-5257","tags":["vendor-advisory"],"url":"https://www.debian.org/security/2022/dsa-5257"},{"name":"[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"},{"url":"https://security.netapp.com/advisory/ntap-20230216-0003/"}],"credits":[{"lang":"en","value":"Bing-Jhong Billy Jheng <billy@starlabs.sg>"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-416 Use After Free","cweId":"CWE-416"}]}],"x_generator":{"engine":"Vulnogram 0.0.9"},"source":{"discovery":"EXTERNAL"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T01:00:10.627Z"},"title":"CVE Program Container","references":[{"url":"https://kernel.dance/#fc78b2fc21f10c4c9c4d5d659a685710ffa63659","tags":["x_transferred"]},{"url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?h=linux-5.4.y&id=fc78b2fc21f10c4c9c4d5d659a685710ffa63659","tags":["x_transferred"]},{"name":"DSA-5257","tags":["vendor-advisory","x_transferred"],"url":"https://www.debian.org/security/2022/dsa-5257"},{"name":"[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"},{"url":"https://security.netapp.com/advisory/ntap-20230216-0003/","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-21T13:36:53.122626Z","id":"CVE-2022-3176","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-21T13:49:18.998Z"}}]}}