fkie_cve-2022-50095
Vulnerability from fkie_nvd
Published
2025-06-18 11:15
Modified
2025-06-18 13:47
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: Cleanup CPU timers before freeing them during exec Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task") started looking up tasks by PID when deleting a CPU timer. When a non-leader thread calls execve, it will switch PIDs with the leader process. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find the task because the timer still points out to the old PID. That means that armed timers won't be disarmed, that is, they won't be removed from the timerqueue_list. exit_itimers will still release their memory, and when that list is later processed, it leads to a use-after-free. Clean up the timers from the de-threaded task before freeing them. This prevents a reported use-after-free.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/541840859ace9c2ccebc32fa9e376c7bd3def490
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9e255ed238fc67058df87b0388ad6d4b2ef3a2bd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b2fc1723eb65abb83e00d5f011de670296af0b28
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e362359ace6f87c201531872486ff295df306d13
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e8cb6e8fd9890780f1bfcf5592889e1b879e779c
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: Cleanup CPU timers before freeing them during exec\n\nCommit 55e8c8eb2c7b (\"posix-cpu-timers: Store a reference to a pid not a\ntask\") started looking up tasks by PID when deleting a CPU timer.\n\nWhen a non-leader thread calls execve, it will switch PIDs with the leader\nprocess. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find\nthe task because the timer still points out to the old PID.\n\nThat means that armed timers won\u0027t be disarmed, that is, they won\u0027t be\nremoved from the timerqueue_list. exit_itimers will still release their\nmemory, and when that list is later processed, it leads to a\nuse-after-free.\n\nClean up the timers from the de-threaded task before freeing them. This\nprevents a reported use-after-free."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: posix-cpu-timers: Limpiar los temporizadores de CPU antes de liberarlos durante la ejecuci\u00f3n. el commit 55e8c8eb2c7b (\"posix-cpu-timers: Almacenar una referencia a un PID, no a una tarea\") comenz\u00f3 a buscar tareas por PID al eliminar un temporizador de CPU. Cuando un subproceso no l\u00edder llama a execve, intercambia los PID con el proceso l\u00edder. Luego, al llamar a exit_itimers, posix_cpu_timer_del no puede encontrar la tarea porque el temporizador a\u00fan apunta al PID anterior. Esto significa que los temporizadores armados no se desarmar\u00e1n; es decir, no se eliminar\u00e1n de timerqueue_list. exit_itimers liberar\u00e1 su memoria y, cuando esa lista se procese posteriormente, se generar\u00e1 un Use-After-Free. Limpie los temporizadores de la tarea desprovista de subprocesos antes de liberarlos. Esto evita un Use-After-Free reportado."
    }
  ],
  "id": "CVE-2022-50095",
  "lastModified": "2025-06-18T13:47:40.833",
  "metrics": {},
  "published": "2025-06-18T11:15:38.740",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/541840859ace9c2ccebc32fa9e376c7bd3def490"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9e255ed238fc67058df87b0388ad6d4b2ef3a2bd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b2fc1723eb65abb83e00d5f011de670296af0b28"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e362359ace6f87c201531872486ff295df306d13"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e8cb6e8fd9890780f1bfcf5592889e1b879e779c"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.