Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-49696— tipc: fix use-after-free Read in tipc_named_reinit

EPSS 0.11% · P30

Affected Version Matrix 12

VendorProductVersion RangeStatus
LinuxLinuxd966ddcc38217a6110a6a0ff37ad2dee7d42e23e< 361c5521c1e49843b710f455cae3c0a50b714323affected
d966ddcc38217a6110a6a0ff37ad2dee7d42e23e< cd7789e659e84f137631dc1f5ec8d794f2700e6caffected
d966ddcc38217a6110a6a0ff37ad2dee7d42e23e< 8b246ddd394d7d9640816611693b0096b998e27aaffected
d966ddcc38217a6110a6a0ff37ad2dee7d42e23e< 911600bf5a5e84bfda4d33ee32acc75ecf6159f0affected
fdc1416c21992ea7b4737123c8aa8c7424a1a540affected
1716c9bd567bc6cdb3d18be78f36941a306b708daffected
5.10affected
< 5.10unaffected
… +4 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-49696

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
tipc: fix use-after-free Read in tipc_named_reinit
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix use-after-free Read in tipc_named_reinit syzbot found the following issue on: ================================================================== BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413 Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764 CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted 5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413 tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK> [...] ================================================================== In the commit d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work"), the cancel_work_sync() function just to make sure ONLY the work tipc_net_finalize_work() is executing/pending on any CPU completed before tipc namespace is destroyed through tipc_exit_net(). But this function is not guaranteed the work is the last queued. So, the destroyed instance may be accessed in the work which will try to enqueue later. In order to completely fix, we re-order the calling of cancel_work_sync() to make sure the work tipc_net_finalize_work() was last queued and it must be completed by calling cancel_work_sync().
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在资源管理错误漏洞,该漏洞源于tipc_named_reinit中存在使用后读取问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux d966ddcc38217a6110a6a0ff37ad2dee7d42e23e ~ 361c5521c1e49843b710f455cae3c0a50b714323 -
LinuxLinux 5.10 -

II. Public POCs for CVE-2022-49696

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2022-49696

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-02-26 · 706 CVEs total

CVE-2022-49496media: mediatek: vcodec: prevent kernel crash when rmmod mtk-vcodec-dec.ko
CVE-2022-49487mtd: rawnand: intel: fix possible null-ptr-deref in ebu_nand_probe()
CVE-2022-49486ASoC: fsl: Fix refcount leak in imx_sgtl5000_probe
CVE-2022-49488drm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected
CVE-2022-49489drm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm run
CVE-2022-49490drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected
CVE-2022-49491drm/rockchip: vop: fix possible null-ptr-deref in vop_bind()
CVE-2022-49492nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags
CVE-2022-49493ASoC: rt5645: Fix errorenous cleanup order
CVE-2022-49494mtd: rawnand: cadence: fix possible null-ptr-deref in cadence_nand_dt_probe()
CVE-2022-49495drm/msm/hdmi: check return value after calling platform_get_resource_byname()
CVE-2022-49497net: remove two BUG() from skb_checksum_help()
CVE-2022-49503ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix
CVE-2022-49508HID: elan: Fix potential double free in elan_input_configured
CVE-2022-49506drm/mediatek: Add vblank register/unregister callback functions
CVE-2022-49504scsi: lpfc: Inhibit aborts if external loopback plug is inserted
CVE-2022-49505NFC: NULL out the dev->rfkill to prevent UAF
CVE-2022-49502media: rga: fix possible memory leak in rga_probe
CVE-2022-49499drm/msm: Fix null pointer dereferences without iommu
CVE-2022-49498ALSA: pcm: Check for null pointer of pointer substream before dereferencing it

Showing top 20 of 706 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2022-49696

No comments yet

Leave a comment