{"vulnerability": "CVE-2022-4885", "sightings": [{"uuid": "92538156-8888-43c7-a3a3-86983f9c057d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2022-48852", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/816dcc8e-f25a-4895-9b59-1bbd9caeccb8", "content": "", "creation_timestamp": "2025-12-03T14:14:49.267740Z"}, {"uuid": "0e4ac5bc-6410-46a7-b8f0-4e22311419da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-4885", "type": "seen", "source": "https://t.me/cibsecurity/56359", "content": "\u203c CVE-2022-4885 \u203c\n\nA vulnerability has been found in sviehb jefferson up to 0.3 and classified as critical. This vulnerability affects unknown code of the file src/scripts/jefferson. The manipulation leads to path traversal. The attack can be initiated remotely. Upgrading to version 0.4 is able to address this issue. The name of the patch is 53b3f2fc34af0bb32afbcee29d18213e61471d87. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218020.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-11T20:43:47.000000Z"}, {"uuid": "d61a0b60-0257-41b7-8d18-9a6e75d3938f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48855", "type": "seen", "source": "https://t.me/cvedetector/969", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48855 - Linux SCTP Stack Kernel Infoleak\", \n \"Content\": \"CVE ID : CVE-2022-48855 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nsctp: fix kernel-infoleak for SCTP sockets \n \nsyzbot reported a kernel infoleak [1] of 4 bytes. \n \nAfter analysis, it turned out r->idiag_expires is not initialized \nif inet_sctp_diag_fill() calls inet_diag_msg_common_fill() \n \nMake sure to clear idiag_timer/idiag_retrans/idiag_expires \nand let inet_diag_msg_sctpasoc_fill() fill them again if needed. \n \n[1] \n \nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] \nBUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline] \nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 \n instrument_copy_to_user include/linux/instrumented.h:121 [inline] \n copyout lib/iov_iter.c:154 [inline] \n _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 \n copy_to_iter include/linux/uio.h:162 [inline] \n simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 \n __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425 \n skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 \n skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline] \n netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977 \n sock_recvmsg_nosec net/socket.c:948 [inline] \n sock_recvmsg net/socket.c:966 [inline] \n __sys_recvfrom+0x795/0xa10 net/socket.c:2097 \n __do_sys_recvfrom net/socket.c:2115 [inline] \n __se_sys_recvfrom net/socket.c:2111 [inline] \n __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111 \n do_syscall_x64 arch/x86/entry/common.c:51 [inline] \n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 \n entry_SYSCALL_64_after_hwframe+0x44/0xae \n \nUninit was created at: \n slab_post_alloc_hook mm/slab.h:737 [inline] \n slab_alloc_node mm/slub.c:3247 [inline] \n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975 \n kmalloc_reserve net/core/skbuff.c:354 [inline] \n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 \n alloc_skb include/linux/skbuff.h:1158 [inline] \n netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248 \n __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373 \n netlink_dump_start include/linux/netlink.h:254 [inline] \n inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341 \n sock_diag_rcv_msg+0x24a/0x620 \n netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494 \n sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277 \n netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] \n netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343 \n netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919 \n sock_sendmsg_nosec net/socket.c:705 [inline] \n sock_sendmsg net/socket.c:725 [inline] \n sock_write_iter+0x594/0x690 net/socket.c:1061 \n do_iter_readv_writev+0xa7f/0xc70 \n do_iter_write+0x52c/0x1500 fs/read_write.c:851 \n vfs_writev fs/read_write.c:924 [inline] \n do_writev+0x645/0xe00 fs/read_write.c:967 \n __do_sys_writev fs/read_write.c:1040 [inline] \n __se_sys_writev fs/read_write.c:1037 [inline] \n __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 \n do_syscall_x64 arch/x86/entry/common.c:51 [inline] \n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 \n entry_SYSCALL_64_after_hwframe+0x44/0xae \n \nBytes 68-71 of 2508 are uninitialized \nMemory access of size 2508 starts at ffff888114f9b000 \nData copied to user address 00007f7fe09ff2e0 \n \nCPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0 \nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:17:14.000000Z"}, {"uuid": "8af6495a-9121-4e72-a61e-ac88627acba3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48858", "type": "seen", "source": "https://t.me/cvedetector/967", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48858 - \"Mellanox mlx5 Linux Kernel Refcount Use After Free Vulnerability\"\", \n \"Content\": \"CVE ID : CVE-2022-48858 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nnet/mlx5: Fix a race on command flush flow \n \nFix a refcount use after free warning due to a race on command entry. \nSuch race occurs when one of the commands releases its last refcount and \nfrees its index and entry while another process running command flush \nflow takes refcount to this command entry. The process which handles \ncommands flush may see this command as needed to be flushed if the other \nprocess released its refcount but didn't release the index yet. Fix it \nby adding the needed spin lock. \n \nIt fixes the following warning trace: \n \nrefcount_t: addition on 0; use-after-free. \nWARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 \n... \nRIP: 0010:refcount_warn_saturate+0x80/0xe0 \n... \nCall Trace: \n \n mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core] \n mlx5_cmd_flush+0x3a/0xf0 [mlx5_core] \n enter_error_state+0x44/0x80 [mlx5_core] \n mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core] \n process_one_work+0x1be/0x390 \n worker_thread+0x4d/0x3d0 \n ? rescuer_thread+0x350/0x350 \n kthread+0x141/0x160 \n ? set_kthread_struct+0x40/0x40 \n ret_from_fork+0x1f/0x30 \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:17:12.000000Z"}, {"uuid": "25622dcb-c1f1-4bf9-91e8-caa458250bb9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48851", "type": "seen", "source": "https://t.me/cvedetector/966", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48851 - VMware ESXi GDM724x Use After Free Out-Of-Bounds Read\", \n \"Content\": \"CVE ID : CVE-2022-48851 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nstaging: gdm724x: fix use after free in gdm_lte_rx() \n \nThe netif_rx_ni() function frees the skb so we can't dereference it to \nsave the skb->len. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:17:11.000000Z"}, {"uuid": "0d4fce8d-f4c3-4009-bac3-8ea44e1b2126", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48859", "type": "seen", "source": "https://t.me/cvedetector/965", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48859 - Marvell Prestera Linux Kernel Node Pointer Leak Vulnerability\", \n \"Content\": \"CVE ID : CVE-2022-48859 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nnet: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr \n \nThis node pointer is returned by of_find_compatible_node() with \nrefcount incremented. Calling of_node_put() to aovid the refcount leak. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:17:10.000000Z"}, {"uuid": "64c4357c-c5a5-436c-a253-a54edcfc880e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48853", "type": "seen", "source": "https://t.me/cvedetector/964", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48853 - Virtio SCSI swiotlb DMA_INFO LEAK\", \n \"Content\": \"CVE ID : CVE-2022-48853 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nswiotlb: fix info leak with DMA_FROM_DEVICE \n \nThe problem I'm addressing was discovered by the LTP test covering \ncve-2018-1000204. \n \nA short description of what happens follows: \n1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO \n interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV \n and a corresponding dxferp. The peculiar thing about this is that TUR \n is not reading from the device. \n2) In sg_start_req() the invocation of blk_rq_map_user() effectively \n bounces the user-space buffer. As if the device was to transfer into \n it. Since commit a45b599ad808 (\"scsi: sg: allocate with __GFP_ZERO in \n sg_build_indirect()\") we make sure this first bounce buffer is \n allocated with GFP_ZERO. \n3) For the rest of the story we keep ignoring that we have a TUR, so the \n device won't touch the buffer we prepare as if the we had a \n DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device \n and the buffer allocated by SG is mapped by the function \n virtqueue_add_split() which uses DMA_FROM_DEVICE for the \"in\" sgs (here \n scatter-gather and not scsi generics). This mapping involves bouncing \n via the swiotlb (we need swiotlb to do virtio in protected guest like \n s390 Secure Execution, or AMD SEV). \n4) When the SCSI TUR is done, we first copy back the content of the second \n (that is swiotlb) bounce buffer (which most likely contains some \n previous IO data), to the first bounce buffer, which contains all \n zeros. Then we copy back the content of the first bounce buffer to \n the user-space buffer. \n5) The test case detects that the buffer, which it zero-initialized, \n ain't all zeros and fails. \n \nOne can argue that this is an swiotlb problem, because without swiotlb \nwe leak all zeros, and the swiotlb should be transparent in a sense that \nit does not affect the outcome (if all other participants are well \nbehaved). \n \nCopying the content of the original buffer into the swiotlb buffer is \nthe only way I can think of to make swiotlb transparent in such \nscenarios. So let's do just that if in doubt, but allow the driver \nto tell us that the whole mapped buffer is going to be overwritten, \nin which case we can preserve the old behavior and avoid the performance \nimpact of the extra bounce. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:17:06.000000Z"}, {"uuid": "35615872-77f2-4b0b-9c6a-30462f3dadb5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48856", "type": "seen", "source": "https://t.me/cvedetector/961", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48856 - Linux kernel Gianfar Driver Resource Leak Vulnerability\", \n \"Content\": \"CVE ID : CVE-2022-48856 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \ngianfar: ethtool: Fix refcount leak in gfar_get_ts_info \n \nThe of_find_compatible_node() function returns a node pointer with \nrefcount incremented, We should use of_node_put() on it when done \nAdd the missing of_node_put() to release the refcount. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:17:03.000000Z"}, {"uuid": "4405e67b-cf4f-4c47-b9f7-76acff089695", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48850", "type": "seen", "source": "https://t.me/cvedetector/960", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48850 - Here is the title: IBM Mellanox mlx5-core Null Pointer Dereference Vulnerability\", \n \"Content\": \"CVE ID : CVE-2022-48850 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nnet-sysfs: add check for netdevice being present to speed_show \n \nWhen bringing down the netdevice or system shutdown, a panic can be \ntriggered while accessing the sysfs path because the device is already \nremoved. \n \n [ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called \n [ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called \n ... \n [ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null) \n [ 758.031397] IP: [] dma_pool_alloc+0x1ab/0x280 \n \n crash> bt \n ... \n PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: \"amsd\" \n ... \n #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778 \n [exception RIP: dma_pool_alloc+0x1ab] \n RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046 \n RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000 \n RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090 \n RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00 \n R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0 \n R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000 \n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 \n #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core] \n #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core] \n #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core] \n #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core] \n #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core] \n #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core] \n #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core] \n #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46 \n #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208 \n #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3 \n #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf \n #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596 \n #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10 \n #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5 \n #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff \n #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f \n #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92 \n \n crash> net_device.state ffff89443b0c0000 \n state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER) \n \nTo prevent this scenario, we also make sure that the netdevice is present. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:17:02.000000Z"}, {"uuid": "bb97ddd3-e3c3-4ba8-b751-730b8416f3d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48854", "type": "seen", "source": "https://t.me/cvedetector/959", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48854 - Apache Linux Kernel Use After Free Vulnerability\", \n \"Content\": \"CVE ID : CVE-2022-48854 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nnet: arc_emac: Fix use after free in arc_mdio_probe() \n \nIf bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free \nthe \"bus\". But bus->name is still used in the next line, which will lead \nto a use after free. \n \nWe can fix it by putting the name in a local variable and make the \nbus->name point to the rodata section \"name\",then use the name in the \nerror message without referring to bus to avoid the uaf. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:16:59.000000Z"}, {"uuid": "93a0c7bf-f372-4f98-abce-7a29a1f0e06e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48852", "type": "seen", "source": "https://t.me/cvedetector/958", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48852 - AMD drm Binder Issue\", \n \"Content\": \"CVE ID : CVE-2022-48852 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \ndrm/vc4: hdmi: Unregister codec device on unbind \n \nOn bind we will register the HDMI codec device but we don't unregister \nit on unbind, leading to a device leakage. Unregister our device at \nunbind. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:16:58.000000Z"}, {"uuid": "f01abc36-d9fb-4c89-ad1f-145d795f0bfe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-48857", "type": "seen", "source": "https://t.me/cvedetector/957", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2022-48857 - Linux NFC: port100 Use-After-Free Vulnerability\", \n \"Content\": \"CVE ID : CVE-2022-48857 \nPublished : July 16, 2024, 1:15 p.m. | 37\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nNFC: port100: fix use-after-free in port100_send_complete \n \nSyzbot reported UAF in port100_send_complete(). The root case is in \nmissing usb_kill_urb() calls on error handling path of ->probe function. \n \nport100_send_complete() accesses devm allocated memory which will be \nfreed on probe failure. We should kill this urbs before returning an \nerror from probe function to prevent reported use-after-free \n \nFail log: \n \nBUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 \nRead of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 \n... \nCall Trace: \n \n __dump_stack lib/dump_stack.c:88 [inline] \n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 \n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 \n __kasan_report mm/kasan/report.c:442 [inline] \n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 \n port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 \n __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 \n \n... \n \nAllocated by task 1255: \n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 \n kasan_set_track mm/kasan/common.c:45 [inline] \n set_alloc_info mm/kasan/common.c:436 [inline] \n ____kasan_kmalloc mm/kasan/common.c:515 [inline] \n ____kasan_kmalloc mm/kasan/common.c:474 [inline] \n __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 \n alloc_dr drivers/base/devres.c:116 [inline] \n devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 \n devm_kzalloc include/linux/device.h:209 [inline] \n port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 \n \nFreed by task 1255: \n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 \n kasan_set_track+0x21/0x30 mm/kasan/common.c:45 \n kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 \n ____kasan_slab_free mm/kasan/common.c:366 [inline] \n ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 \n kasan_slab_free include/linux/kasan.h:236 [inline] \n __cache_free mm/slab.c:3437 [inline] \n kfree+0xf8/0x2b0 mm/slab.c:3794 \n release_nodes+0x112/0x1a0 drivers/base/devres.c:501 \n devres_release_all+0x114/0x190 drivers/base/devres.c:530 \n really_probe+0x626/0xcc0 drivers/base/dd.c:670 \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"16 Jul 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T16:16:57.000000Z"}]}