CVE-2022-50095 (GCVE-0-2022-50095)
Vulnerability from cvelistv5
Published
2025-06-18 11:02
Modified
2025-06-18 11:02
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: Cleanup CPU timers before freeing them during exec Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task") started looking up tasks by PID when deleting a CPU timer. When a non-leader thread calls execve, it will switch PIDs with the leader process. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find the task because the timer still points out to the old PID. That means that armed timers won't be disarmed, that is, they won't be removed from the timerqueue_list. exit_itimers will still release their memory, and when that list is later processed, it leads to a use-after-free. Clean up the timers from the de-threaded task before freeing them. This prevents a reported use-after-free.
References
Impacted products
Vendor Product Version
Linux Linux Version: 55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59
Version: 55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59
Version: 55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59
Version: 55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59
Version: 55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/exec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "541840859ace9c2ccebc32fa9e376c7bd3def490",
              "status": "affected",
              "version": "55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59",
              "versionType": "git"
            },
            {
              "lessThan": "9e255ed238fc67058df87b0388ad6d4b2ef3a2bd",
              "status": "affected",
              "version": "55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59",
              "versionType": "git"
            },
            {
              "lessThan": "e8cb6e8fd9890780f1bfcf5592889e1b879e779c",
              "status": "affected",
              "version": "55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59",
              "versionType": "git"
            },
            {
              "lessThan": "b2fc1723eb65abb83e00d5f011de670296af0b28",
              "status": "affected",
              "version": "55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59",
              "versionType": "git"
            },
            {
              "lessThan": "e362359ace6f87c201531872486ff295df306d13",
              "status": "affected",
              "version": "55e8c8eb2c7b6bf30e99423ccfe7ca032f498f59",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/exec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.137",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.137",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.61",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.18",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.2",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: Cleanup CPU timers before freeing them during exec\n\nCommit 55e8c8eb2c7b (\"posix-cpu-timers: Store a reference to a pid not a\ntask\") started looking up tasks by PID when deleting a CPU timer.\n\nWhen a non-leader thread calls execve, it will switch PIDs with the leader\nprocess. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find\nthe task because the timer still points out to the old PID.\n\nThat means that armed timers won\u0027t be disarmed, that is, they won\u0027t be\nremoved from the timerqueue_list. exit_itimers will still release their\nmemory, and when that list is later processed, it leads to a\nuse-after-free.\n\nClean up the timers from the de-threaded task before freeing them. This\nprevents a reported use-after-free."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T11:02:33.221Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/541840859ace9c2ccebc32fa9e376c7bd3def490"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e255ed238fc67058df87b0388ad6d4b2ef3a2bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8cb6e8fd9890780f1bfcf5592889e1b879e779c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2fc1723eb65abb83e00d5f011de670296af0b28"
        },
        {
          "url": "https://git.kernel.org/stable/c/e362359ace6f87c201531872486ff295df306d13"
        }
      ],
      "title": "posix-cpu-timers: Cleanup CPU timers before freeing them during exec",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50095",
    "datePublished": "2025-06-18T11:02:33.221Z",
    "dateReserved": "2025-06-18T10:57:27.411Z",
    "dateUpdated": "2025-06-18T11:02:33.221Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50095\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T11:15:38.740\",\"lastModified\":\"2025-06-18T13:47:40.833\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nposix-cpu-timers: Cleanup CPU timers before freeing them during exec\\n\\nCommit 55e8c8eb2c7b (\\\"posix-cpu-timers: Store a reference to a pid not a\\ntask\\\") started looking up tasks by PID when deleting a CPU timer.\\n\\nWhen a non-leader thread calls execve, it will switch PIDs with the leader\\nprocess. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find\\nthe task because the timer still points out to the old PID.\\n\\nThat means that armed timers won\u0027t be disarmed, that is, they won\u0027t be\\nremoved from the timerqueue_list. exit_itimers will still release their\\nmemory, and when that list is later processed, it leads to a\\nuse-after-free.\\n\\nClean up the timers from the de-threaded task before freeing them. This\\nprevents a reported use-after-free.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: posix-cpu-timers: Limpiar los temporizadores de CPU antes de liberarlos durante la ejecuci\u00f3n. el commit 55e8c8eb2c7b (\\\"posix-cpu-timers: Almacenar una referencia a un PID, no a una tarea\\\") comenz\u00f3 a buscar tareas por PID al eliminar un temporizador de CPU. Cuando un subproceso no l\u00edder llama a execve, intercambia los PID con el proceso l\u00edder. Luego, al llamar a exit_itimers, posix_cpu_timer_del no puede encontrar la tarea porque el temporizador a\u00fan apunta al PID anterior. Esto significa que los temporizadores armados no se desarmar\u00e1n; es decir, no se eliminar\u00e1n de timerqueue_list. exit_itimers liberar\u00e1 su memoria y, cuando esa lista se procese posteriormente, se generar\u00e1 un Use-After-Free. Limpie los temporizadores de la tarea desprovista de subprocesos antes de liberarlos. Esto evita un Use-After-Free reportado.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/541840859ace9c2ccebc32fa9e376c7bd3def490\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9e255ed238fc67058df87b0388ad6d4b2ef3a2bd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b2fc1723eb65abb83e00d5f011de670296af0b28\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e362359ace6f87c201531872486ff295df306d13\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e8cb6e8fd9890780f1bfcf5592889e1b879e779c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.