CVE-2022-50274
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: adopts refcnt to avoid UAF dvb_unregister_device() is known that prone to use-after-free. That is, the cleanup from dvb_unregister_device() releases the dvb_device even if there are pointers stored in file->private_data still refer to it. This patch adds a reference counter into struct dvb_device and delays its deallocation until no pointer refers to the object.
CVSS Metrics
- v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.02%• Percentile: 5%
Techniques & Countermeasures
- CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Affected Systems
- linux•linux
≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < ac521bbe3d00fa574e66a9361763f2b37725bc97 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 219b44bf94203bd433aa91b7796475bf656348e5 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 6d18b44bb44e1f4d97dfe0efe92ac0f0984739c2 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 2abd73433872194bccdf1432a0980e4ec5273c2a | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 88a6f8a72d167294c0931c7874941bf37a41b6dd | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < a2f0a08aa613176c9688c81d7b598a7779974991 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 9945d05d6693710574f354c5dbddc47f5101eb77 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 | 2.6.12
- linux•linux_kernel
< 4.14.303 | ≥ 4.15, < 4.19.270 | ≥ 4.20, < 5.4.229 | ≥ 5.5, < 5.10.163 | ≥ 5.11, < 5.15.86 | ≥ 5.16, < 6.0.16 | ≥ 6.1, < 6.1.2
References (8)
- https://git.kernel.org/stable/c/ac521bbe3d00fa574e66a9361763f2b37725bc97
- https://git.kernel.org/stable/c/219b44bf94203bd433aa91b7796475bf656348e5
- https://git.kernel.org/stable/c/6d18b44bb44e1f4d97dfe0efe92ac0f0984739c2
- https://git.kernel.org/stable/c/2abd73433872194bccdf1432a0980e4ec5273c2a
- https://git.kernel.org/stable/c/88a6f8a72d167294c0931c7874941bf37a41b6dd
- https://git.kernel.org/stable/c/a2f0a08aa613176c9688c81d7b598a7779974991
- https://git.kernel.org/stable/c/9945d05d6693710574f354c5dbddc47f5101eb77
- https://git.kernel.org/stable/c/0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79