Use-After-Free Vulnerability in Systemd Affecting DNS Processing
CVE-2022-2526

9.8CRITICAL

Key Information:

Vendor: Systemd Project
Status: Systemd-resolved
Vendor: CVE Published:; 9 September 2022

🔔 Create Systemd Project Vulnerability Alert

What is CVE-2022-2526?

A use-after-free vulnerability has been identified in Systemd, specifically in the DNS resolution code. The issue arises from the improper handling of reference counting in the 'resolved-dns-stream.c' file, particularly within the on_stream_io() and dns_stream_complete() functions. When these functions fail to correctly manage the reference count of the DnsStream object, it may lead to the dereferencing of a freed object in subsequent calls. This flaw poses a significant risk as it can be exploited through various callbacks, potentially leading to unpredictable application behavior and security breaches.

Affected Version(s)

systemd-resolved systemd 240

References

https://github.com/systemd/systemd/commit/d973d94dec349fb...

https://security.netapp.com/advisory/ntap-20221111-0005/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2022
Vulnerability Reserved
Jul 24, 2022

CVE-2022-2526 Data

JSON