{"timestamp":"2024-10-22T13:21:45.788376Z","id":"CVE-2022-48950","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["kernel/events/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"ca7b0a10287e2733bdafb01ef0d4038536625fe3","lessThan":"8bffa95ac19ff27c8261904f89d36c7fcf215d59","versionType":"git","status":"affected"},{"version":"078c12ccf1fb943cc18c84894c76113dc89e5975","lessThan":"78e1317a174edbfd1182599bf76c092a2877672c","versionType":"git","status":"affected"},{"version":"ca6c21327c6af02b7eec31ce4b9a740a18c6c13f","lessThan":"517e6a301f34613bff24a8e35b5455884f2d83d8","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["kernel/events/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.15.77","lessThan":"5.15.84","versionType":"semver","status":"affected"},{"version":"6.0.7","lessThan":"6.0.14","versionType":"semver","status":"affected"}]}]

NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

NIST CWE-416

OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 5.15.84
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.0.14
     *cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:*

https://git.kernel.org/stable/c/517e6a301f34613bff24a8e35b5455884f2d83d8 No Types Assigned

https://git.kernel.org/stable/c/517e6a301f34613bff24a8e35b5455884f2d83d8 Patch

https://git.kernel.org/stable/c/78e1317a174edbfd1182599bf76c092a2877672c No Types Assigned

https://git.kernel.org/stable/c/78e1317a174edbfd1182599bf76c092a2877672c Patch

https://git.kernel.org/stable/c/8bffa95ac19ff27c8261904f89d36c7fcf215d59 No Types Assigned

https://git.kernel.org/stable/c/8bffa95ac19ff27c8261904f89d36c7fcf215d59 Patch

In the Linux kernel, the following vulnerability has been resolved:

perf: Fix perf_pending_task() UaF

Per syzbot it is possible for perf_pending_task() to run after the
event is free()'d. There are two related but distinct cases:

 - the task_work was already queued before destroying the event;
 - destroying the event itself queues the task_work.

The first cannot be solved using task_work_cancel() since
perf_release() itself might be called from a task_work (____fput),
which means the current->task_works list is already empty and
task_work_cancel() won't be able to find the perf_pending_task()
entry.

The simplest alternative is extending the perf_event lifetime to cover
the task_work.

The second is just silly, queueing a task_work while you know the
event is going away makes no sense and is easily avoided by
re-arranging how the event is marked STATE_DEAD and ensuring it goes
through STATE_OFF on the way down.

kernel.org https://git.kernel.org/stable/c/517e6a301f34613bff24a8e35b5455884f2d83d8 [No types assigned]

kernel.org https://git.kernel.org/stable/c/78e1317a174edbfd1182599bf76c092a2877672c [No types assigned]

kernel.org https://git.kernel.org/stable/c/8bffa95ac19ff27c8261904f89d36c7fcf215d59 [No types assigned]