CVE-2022-49149

{"id": "CVE-2022-49149", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2025-02-26T07:00:52.073", "references": [{"url": "https://git.kernel.org/stable/c/051360e51341cd17738d82c15a8226010c7cb7f6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4a7f62f91933c8ae5308f9127fd8ea48188b6bc3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54df5a37f1d951ed27fd47bf9b15a42279582110", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5e3c11144e557a9dbf9a2f6abe444689ef9d8aae", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8cbf4ae7a2833767d63114573e5f9a45740cc975", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix call timer start racing with call destruction\n\nThe rxrpc_call struct has a timer used to handle various timed events\nrelating to a call. This timer can get started from the packet input\nroutines that are run in softirq mode with just the RCU read lock held.\nUnfortunately, because only the RCU read lock is held - and neither ref or\nother lock is taken - the call can start getting destroyed at the same time\na packet comes in addressed to that call. This causes the timer - which\nwas already stopped - to get restarted. Later, the timer dispatch code may\nthen oops if the timer got deallocated first.\n\nFix this by trying to take a ref on the rxrpc_call struct and, if\nsuccessful, passing that ref along to the timer. If the timer was already\nrunning, the ref is discarded.\n\nThe timer completion routine can then pass the ref along to the call's work\nitem when it queues it. If the timer or work item where already\nqueued/running, the extra ref is discarded."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rxrpc: Se soluciona el inicio del temporizador de llamadas con la destrucci\u00f3n de llamadas La estructura rxrpc_call tiene un temporizador que se utiliza para gestionar varios eventos temporizados relacionados con una llamada. Este temporizador puede iniciarse desde las rutinas de entrada de paquetes que se ejecutan en modo softirq con solo el bloqueo de lectura RCU mantenido. Desafortunadamente, debido a que solo se mantiene el bloqueo de lectura RCU, y no se toma ninguna referencia ni ning\u00fan otro bloqueo, la llamada puede comenzar a destruirse al mismo tiempo que llega un paquete dirigido a esa llamada. Esto hace que el temporizador, que ya estaba detenido, se reinicie. M\u00e1s tarde, el c\u00f3digo de despacho del temporizador puede fallar si el temporizador se desasign\u00f3 primero. Solucione esto intentando tomar una referencia en la estructura rxrpc_call y, si tiene \u00e9xito, pasando esa referencia al temporizador. Si el temporizador ya se estaba ejecutando, la referencia se descarta. La rutina de finalizaci\u00f3n del temporizador puede pasar la referencia al elemento de trabajo de la llamada cuando lo pone en cola. Si el temporizador o el elemento de trabajo ya estaban en cola o en ejecuci\u00f3n, la referencia adicional se descarta."}], "lastModified": "2025-09-23T13:53:54.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "320B2FBC-A9FB-4A02-BFD8-BF14B78CA80C", "versionEndExcluding": "5.10.110", "versionStartIncluding": "4.15.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27C42AE8-B387-43E2-938A-E1C8B40BE6D5", "versionEndExcluding": "5.15.33", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B", "versionEndExcluding": "5.16.19", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.15:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B4D39AF-668B-442B-8085-639A6D4FA5AC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69A04496-EA26-42E0-A553-413BF2A78AD7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14E8986E-B317-40EA-B0B5-5D2922D2AF5B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EBC4657A-0239-47DF-B582-87D8DFA69439"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E1F48A9-9185-4554-9265-22CEC01D18FD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "639D2465-65E0-40E2-B7A8-BEA9E221DE54"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A282AD0B-2D63-4F05-8F89-109A0975B423"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30358221-183C-4699-994E-AF51F5D534FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc9:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5ED80A8-E656-4AE9-921B-C22402C94A4C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}