{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-48950","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-08-22T01:27:53.625Z","datePublished":"2024-10-21T20:05:38.440Z","dateUpdated":"2025-12-23T13:21:16.235Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-12-23T13:21:16.235Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix perf_pending_task() UaF\n\nPer syzbot it is possible for perf_pending_task() to run after the\nevent is free()'d. There are two related but distinct cases:\n\n - the task_work was already queued before destroying the event;\n - destroying the event itself queues the task_work.\n\nThe first cannot be solved using task_work_cancel() since\nperf_release() itself might be called from a task_work (____fput),\nwhich means the current->task_works list is already empty and\ntask_work_cancel() won't be able to find the perf_pending_task()\nentry.\n\nThe simplest alternative is extending the perf_event lifetime to cover\nthe task_work.\n\nThe second is just silly, queueing a task_work while you know the\nevent is going away makes no sense and is easily avoided by\nre-arranging how the event is marked STATE_DEAD and ensuring it goes\nthrough STATE_OFF on the way down."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/events/core.c"],"versions":[{"version":"ca7b0a10287e2733bdafb01ef0d4038536625fe3","lessThan":"8bffa95ac19ff27c8261904f89d36c7fcf215d59","status":"affected","versionType":"git"},{"version":"078c12ccf1fb943cc18c84894c76113dc89e5975","lessThan":"78e1317a174edbfd1182599bf76c092a2877672c","status":"affected","versionType":"git"},{"version":"ca6c21327c6af02b7eec31ce4b9a740a18c6c13f","lessThan":"517e6a301f34613bff24a8e35b5455884f2d83d8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/events/core.c"],"versions":[{"version":"5.15.77","lessThan":"5.15.84","status":"affected","versionType":"semver"},{"version":"6.0.7","lessThan":"6.0.14","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.77","versionEndExcluding":"5.15.84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.7","versionEndExcluding":"6.0.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8bffa95ac19ff27c8261904f89d36c7fcf215d59"},{"url":"https://git.kernel.org/stable/c/78e1317a174edbfd1182599bf76c092a2877672c"},{"url":"https://git.kernel.org/stable/c/517e6a301f34613bff24a8e35b5455884f2d83d8"}],"title":"perf: Fix perf_pending_task() UaF","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2022-48950","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-22T13:21:45.788376Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-22T13:28:40.788Z"}}]}}