Linux Kernel BPF fs/nilfs2/inode.c nilfs_new_inode use after free

A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. Using CWE to declare the problem leads to CWE-416. The weakness was disclosed 10/21/2022 as DLA 3173-1. The advisory is shared for download at git.kernel.org. This vulnerability is traded as CVE-2022-3649. It is possible to launch the attack remotely. Technical details are available. There is no exploit available. The current price for an exploit might be approx. USD $0-$5k at the moment. It is declared as not defined. As 0-day the estimated underground price was around $5k-$25k. The bugfix is ready for download at git.kernel.org. It is recommended to apply a patch to fix this issue. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

Field10/21/2022 21:3311/19/2022 12:3811/19/2022 12:45
vendorLinuxLinuxLinux
nameKernelKernelKernel
componentBPFBPFBPF
filefs/nilfs2/inode.cfs/nilfs2/inode.cfs/nilfs2/inode.c
functionnilfs_new_inodenilfs_new_inodenilfs_new_inode
cwe416 (use after free)416 (use after free)416 (use after free)
risk111
cvss3_vuldb_avNNN
cvss3_vuldb_acHHH
cvss3_vuldb_prLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cNNN
cvss3_vuldb_iNNN
cvss3_vuldb_aLLL
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
urlhttps://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=d325dc6eb763c10f591c239550b8c7e5466a5d09https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=d325dc6eb763c10f591c239550b8c7e5466a5d09https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=d325dc6eb763c10f591c239550b8c7e5466a5d09
namePatchPatchPatch
patch_urlhttps://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=d325dc6eb763c10f591c239550b8c7e5466a5d09https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=d325dc6eb763c10f591c239550b8c7e5466a5d09https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=d325dc6eb763c10f591c239550b8c7e5466a5d09
cveCVE-2022-3649CVE-2022-3649CVE-2022-3649
responsibleVulDBVulDBVulDB
date1666303200 (10/21/2022)1666303200 (10/21/2022)1666303200 (10/21/2022)
typeOperating SystemOperating SystemOperating System
cvss2_vuldb_avNNN
cvss2_vuldb_acHHH
cvss2_vuldb_ciNNN
cvss2_vuldb_iiNNN
cvss2_vuldb_aiPPP
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_auSSS
cvss2_vuldb_eNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore2.12.12.1
cvss2_vuldb_tempscore1.81.81.8
cvss3_vuldb_basescore3.13.13.1
cvss3_vuldb_tempscore3.03.03.0
cvss3_meta_basescore3.13.15.3
cvss3_meta_tempscore3.03.05.3
price_0day$5k-$25k$5k-$25k$5k-$25k
identifierDLA 3173-1DLA 3173-1
cve_assigned1666303200 (10/21/2022)1666303200 (10/21/2022)
cve_nvd_summaryA vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss3_cna_avN
cvss3_cna_acH
cvss3_cna_prL
cvss3_cna_uiN
cvss3_cna_sU
cvss3_cna_cN
cvss3_cna_iN
cvss3_cna_aL
cve_cnaVulDB
cvss3_nvd_basescore9.8
cvss3_cna_basescore3.1

Might our Artificial Intelligence support you?

Check our Alexa App!