Use-After-Free Vulnerability in Linux io_uring and Unix SCM
CVE-2022-2602

5.3MEDIUM

Key Information:

Vendor: The Linux Kernel Organization
Status: Linux
Vendor: CVE Published:; 8 January 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A Use-After-Free vulnerability exists in the handling of io_uring as it integrates with Unix SCM garbage collection. This flaw may allow an attacker to exploit memory management mechanisms, potentially leading to arbitrary code execution or denial of service conditions. It is crucial for users and administrators of Linux-based systems to apply appropriate patches to mitigate risks associated with this vulnerability.

Affected Version(s)

linux Linux 0 < 6.1~rc1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-2602
Created by LukeGix

CVE-2022-2602-Kernel-Exploit
Created by kiks7

CVE-2022-2602-Study
Created by th3-5had0w

References

https://ubuntu.com/security/notices/USN-5692-1

third-party-advisory

https://ubuntu.com/security/notices/USN-5752-1

third-party-advisory

https://ubuntu.com/security/notices/USN-5693-1

third-party-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 8, 2024
🟡
Public PoC available
Jan 9, 2023
👾
Exploit known to exist
Jan 9, 2023
Vulnerability Reserved
Aug 1, 2022

Collectors

NVD DatabaseMitre Database3 Proof of Concept(s)

Credit

David Bouman

Billy Jheng Bing Jhong working with Trend Micro's Zero Day Initiative