Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-3910 PoC — Use after free in IO_uring in the Linux Kernel

Source
https://github.com/veritas501/CVE-2022-3910
Associated Vulnerability
Title:Use after free in IO_uring in the Linux Kernel (CVE-2022-3910)
Description:Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately. We recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679
Description
CVE-2022-3910
Readme
# CVE-2022-3910

- poc

![](assets/poc_success.png)

- dirtyfile

![](assets/dirtyfile_success.png)

![](assets/ubuntu_dirtyfile_success.png)

- dirtymm

![](assets/dirtymm_success.png)

![](assets/ubuntu_dirtymm_success.png)
File Snapshot

 [4.0K]  /data/pocs/cf144c2ed6336ebe03827003ed7e0277d32fda0f
├── [4.0K]  assets
│   ├── [ 64K]  dirtyfile_success.png
│   ├── [ 72K]  dirtymm_success.png
│   ├── [109K]  poc_success.png
│   ├── [ 79K]  ubuntu_dirtyfile_success.png
│   └── [114K]  ubuntu_dirtymm_success.png
├── [ 340]  boot.sh
├── [ 12M]  bzImage
├── [263K]  config
├── [6.2K]  exp_dirtyfile.c
├── [ 10K]  exp_dirtymm.c
├── [7.5K]  exp_dirtymm_container.c
├── [4.0K]  liburing
│   ├── [4.0K]  include
│   │   ├── [4.0K]  liburing
│   │   │   ├── [2.4K]  barrier.h
│   │   │   ├── [ 276]  compat.h
│   │   │   ├── [ 17K]  io_uring.h
│   │   │   └── [ 164]  io_uring_version.h
│   │   └── [ 40K]  liburing.h
│   └── [220K]  liburing.a
├── [ 521]  Makefile
├── [3.0K]  poc.c
├── [ 227]  README.md
├── [5.6M]  rootfs.cpio
└── [ 192]  suid_dummy.c

4 directories, 22 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →