Use After Free Vulnerability in lio_listio System Call
CVE-2022-23090

Currently unrated

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 15 February 2024

What is CVE-2022-23090?

The aio_aqueue function, associated with the lio_listio system call in FreeBSD, has a significant flaw wherein it fails to release a reference to credentials during error conditions. This oversight can allow an attacker to manipulate the reference count, potentially leading to a use-after-free condition. Such vulnerabilities can have profound implications, potentially enabling unauthorized access, data manipulation or system instability. It's essential for users of the affected FreeBSD versions to review security advisories and implement the recommended mitigations promptly.

Affected Version(s)

FreeBSD 13.1-RELEASE

FreeBSD 13.0-RELEASE

FreeBSD 12.3-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-22:10....

vendor-advisory

https://security.netapp.com/advisory/ntap-20240415-0007/

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 15, 2024
Vulnerability Reserved
Jan 10, 2022

Credit

Chris J-D <[email protected]>