{ "threat_severity" : "Moderate", "public_date" : "2025-02-26T00:00:00Z", "bugzilla" : { "description" : "kernel: tipc: fix use-after-free Read in tipc_named_reinit", "id" : "2347851", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2347851" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntipc: fix use-after-free Read in tipc_named_reinit\nsyzbot found the following issue on:\n==================================================================\nBUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0\nnet/tipc/name_distr.c:413\nRead of size 8 at addr ffff88805299a000 by task kworker/1:9/23764\nCPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted\n5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 01/01/2011\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description.constprop.0.cold+0xeb/0x495\nmm/kasan/report.c:313\nprint_report mm/kasan/report.c:429 [inline]\nkasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491\ntipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413\ntipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138\nprocess_one_work+0x996/0x1610 kernel/workqueue.c:2289\nworker_thread+0x665/0x1080 kernel/workqueue.c:2436\nkthread+0x2e9/0x3a0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298\n\n[...]\n==================================================================\nIn the commit\nd966ddcc3821 (\"tipc: fix a deadlock when flushing scheduled work\"),\nthe cancel_work_sync() function just to make sure ONLY the work\ntipc_net_finalize_work() is executing/pending on any CPU completed before\ntipc namespace is destroyed through tipc_exit_net(). But this function\nis not guaranteed the work is the last queued. So, the destroyed instance\nmay be accessed in the work which will try to enqueue later.\nIn order to completely fix, we re-order the calling of cancel_work_sync()\nto make sure the work tipc_net_finalize_work() was last queued and it\nmust be completed by calling cancel_work_sync().", "A vulnerability was found in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, allowing a use-after-free condition during the cleanup process. This issue arises when the kernel's work queue mechanism does not properly synchronize the destruction of TIPC namespaces with the completion of pending work items. \nSpecifically, the function responsible for canceling pending work (cancel_work_sync()) ensures that a particular work item (tipc_net_finalize_work) is completed before the namespace is destroyed. However, it does not guarantee that this work item is the last one queued, leading to the possibility of accessing freed memory if additional work is enqueued afterward." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-06-24T00:00:00Z", "advisory" : "RHSA-2025:9497", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.159.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-06-24T00:00:00Z", "advisory" : "RHSA-2025:9498", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.149.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-06-24T00:00:00Z", "advisory" : "RHSA-2025:9498", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.149.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-06-24T00:00:00Z", "advisory" : "RHSA-2025:9498", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.149.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-06-24T00:00:00Z", "advisory" : "RHSA-2025:9494", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.134.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-06-24T00:00:00Z", "advisory" : "RHSA-2025:9493", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.134.1.rt21.206.el9_0" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49696\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49696\nhttps://lore.kernel.org/linux-cve-announce/2025022628-CVE-2022-49696-c188@gregkh/T" ], "name" : "CVE-2022-49696", "csaw" : false }