vulnerability
Ubuntu: (CVE-2022-49256): linux vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:S/C:N/I:N/A:C) | Feb 26, 2025 | Mar 19, 2025 | Mar 21, 2025 |
Description
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Actually free the watch
free_watch() does everything barring actually freeing the watch object. Fix
this by adding the missing kfree.
kmemleak produces a report something like the following. Note that as an
address can be seen in the first word, the watch would appear to have gone
through call_rcu().
BUG: memory leak
unreferenced object 0xffff88810ce4a200 (size 96):
comm "syz-executor352", pid 3605, jiffies 4294947473 (age 13.720s)
hex dump (first 32 bytes):
e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H.............
80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[] kmalloc include/linux/slab.h:581 [inline]
[] kzalloc include/linux/slab.h:714 [inline]
[] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800
[] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016
[] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[] entry_SYSCALL_64_after_hwframe+0x44/0xae
Solution(s)
References
- CVE-2022-49256
- https://attackerkb.com/topics/CVE-2022-49256
- URL-https://git.kernel.org/linus/3d8dcf278b1ee1eff1e90be848fa2237db4c07a7
- URL-https://git.kernel.org/stable/c/31824613a42aacdcbeb325bf07a1c8247a11ebe2
- URL-https://git.kernel.org/stable/c/3d8dcf278b1ee1eff1e90be848fa2237db4c07a7
- URL-https://git.kernel.org/stable/c/7e8c9b0df07a77f0d072603b8ced2677e30e1893
- URL-https://git.kernel.org/stable/c/9d92be1a09fbb3dd65600dbfe7eedb40e7228e4b
- URL-https://git.kernel.org/stable/c/f69aecb49968e14196366bbe896eab0a904229f5
- URL-https://www.cve.org/CVERecord?id=CVE-2022-49256
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.