{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48771", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-20T11:09:39.061Z", "datePublished": "2024-06-20T11:13:45.896Z", "dateUpdated": "2025-05-04T08:22:43.964Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:22:43.964Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"], "versions": [{"version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "e8d092a62449dcfc73517ca43963d2b8f44d0516", "status": "affected", "versionType": "git"}, {"version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d", "status": "affected", "versionType": "git"}, {"version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "84b1259fe36ae0915f3d6ddcea6377779de48b82", "status": "affected", "versionType": "git"}, {"version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "ae2b20f27732fe92055d9e7b350abc5cdf3e2414", "status": "affected", "versionType": "git"}, {"version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "6066977961fc6f437bc064f628cf9b0e4571c56c", "status": "affected", "versionType": "git"}, {"version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "1d833b27fb708d6fdf5de9f6b3a8be4bd4321565", "status": "affected", "versionType": "git"}, {"version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "a0f90c8815706981c483a652a6aefca51a5e191c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"], "versions": [{"version": "4.14", "status": "affected"}, {"version": "0", "lessThan": "4.14", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.264", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.227", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.175", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.95", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.18", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.4", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "4.14.264"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "4.19.227"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.4.175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.10.95"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.15.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.16.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516"}, {"url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d"}, {"url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82"}, {"url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414"}, {"url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c"}, {"url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565"}, {"url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c"}], "title": "drm/vmwgfx: Fix stale file descriptors on failed usercopy", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:00.306Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:09:57.107831Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:46.747Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:00.306Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:09:57.107831Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:25.860Z"}}], "cna": {"title": "drm/vmwgfx: Fix stale file descriptors on failed usercopy", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "e8d092a62449dcfc73517ca43963d2b8f44d0516", "versionType": "git"}, {"status": "affected", "version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d", "versionType": "git"}, {"status": "affected", "version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "84b1259fe36ae0915f3d6ddcea6377779de48b82", "versionType": "git"}, {"status": "affected", "version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "ae2b20f27732fe92055d9e7b350abc5cdf3e2414", "versionType": "git"}, {"status": "affected", "version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "6066977961fc6f437bc064f628cf9b0e4571c56c", "versionType": "git"}, {"status": "affected", "version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "1d833b27fb708d6fdf5de9f6b3a8be4bd4321565", "versionType": "git"}, {"status": "affected", "version": "c906965dee22d5e95d0651759ba107b420212a9f", "lessThan": "a0f90c8815706981c483a652a6aefca51a5e191c", "versionType": "git"}], "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.14"}, {"status": "unaffected", "version": "0", "lessThan": "4.14", "versionType": "semver"}, {"status": "unaffected", "version": "4.14.264", "versionType": "semver", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.227", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.175", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.95", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.18", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16.4", "versionType": "semver", "lessThanOrEqual": "5.16.*"}, {"status": "unaffected", "version": "5.17", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/gpu/drm/vmwgfx/vmwgfx_drv.h", "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c", "drivers/gpu/drm/vmwgfx/vmwgfx_fence.c", "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516"}, {"url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d"}, {"url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82"}, {"url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414"}, {"url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c"}, {"url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565"}, {"url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.14.264", "versionStartIncluding": "4.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.227", "versionStartIncluding": "4.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.175", "versionStartIncluding": "4.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.95", "versionStartIncluding": "4.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.18", "versionStartIncluding": "4.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.16.4", "versionStartIncluding": "4.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.17", "versionStartIncluding": "4.14"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:22:43.964Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48771", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:22:43.964Z", "dateReserved": "2024-06-20T11:09:39.061Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-06-20T11:13:45.896Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "230007AB-5013-4A44-A8FD-13A8239FD09A", "versionEndExcluding": "4.14.264", "versionStartIncluding": "4.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C0D30D6-E8EC-41F5-BF1A-3CCB1034752B", "versionEndExcluding": "4.19.227", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "46470E09-F127-47BD-AE84-51EF5A1E7667", "versionEndExcluding": "5.4.175", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A304480-62CF-4C12-B158-E4701C3527C7", "versionEndExcluding": "5.10.95", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B82C4819-4E4F-41A7-99A9-0BDCC5144108", "versionEndExcluding": "5.15.18", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DFD4BEA8-F0A8-4843-B31D-5B8954360C18", "versionEndExcluding": "5.16.4", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vmwgfx: corrige descriptores de archivos obsoletos en una copia de usuario fallida. Una copia de usuario fallida del objeto valla_rep generar\u00e1 una entrada obsoleta en la tabla de descriptores de archivos, ya que put_unused_fd() no lo liberar\u00e1. Esto permite al usuario hacer referencia a un objeto 'archivo' pendiente a trav\u00e9s de ese descriptor de archivo a\u00fan v\u00e1lido, lo que lleva a todo tipo de escenarios de explotaci\u00f3n de use-after-free. Solucione este problema posponiendo la llamada a fd_install() hasta que la copia del usuario se haya realizado correctamente."}], "id": "CVE-2022-48771", "lastModified": "2025-01-06T21:41:47.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-20T12:15:15.043", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1988", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-372.9.1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}], "bugzilla": {"description": "kernel: drm/vmwgfx: Fix stale file descriptors on failed usercopy", "id": "2293337", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293337"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded.", "A use-after-free vulnerability has been identified in the Linux kernel's VMware graphics driver (vmwgfx) driver. This flaw occurs during the usercopy operation for the fence_rep object. If this operation fails, it can leave a stale (dangling) file descriptor in the system's file descriptor table. This allows userland processes to reference an invalidated file object, ultimately leading to a use-after-free condition. Successful exploitation of this vulnerability could result in memory corruption, system instability, or a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48771", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48771\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48771\nhttps://lore.kernel.org/linux-cve-announce/2024062011-CVE-2022-48771-2c90@gregkh/T"], "threat_severity": "Moderate"}