Use-after-free Vulnerability in Ubuntu POSIX CPU Timers
CVE-2022-2585

5.3MEDIUM

Key Information:

Vendor

The Linux Kernel Organization

Status
Linux
Vendor
CVE Published:
8 January 2024

What is CVE-2022-2585?

A vulnerability exists in Ubuntu that occurs when executing from a non-leader thread. This issue causes armed POSIX CPU timers to be left on a list while being freed, resulting in a potential use-after-free situation. This flaw may lead to unintended behavior in the system, including possible crashes or arbitrary code execution if exploited. Immediate action and patching are essential to mitigate the risks associated with this vulnerability.

Affected Version(s)

linux Linux 0 < 6.0~rc1

References

https://ubuntu.com/security/notices/USN-5566-1
third-party-advisory
https://ubuntu.com/security/notices/USN-5564-1
third-party-advisory
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2585
issue-tracking

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

An independent security researcher working with SSD Secure Disclosure
JSON
.