CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.5%
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix error pbuf checking
Syz reports a problem, which boils down to NULL vs IS_ERR inconsistent
error handling in io_alloc_pbuf_ring().
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:__io_remove_buffers+0xac/0x700 io_uring/kbuf.c:341
Call Trace:
<TASK>
io_put_bl io_uring/kbuf.c:378 [inline]
io_destroy_buffers+0x14e/0x490 io_uring/kbuf.c:392
io_ring_ctx_free+0xa00/0x1070 io_uring/io_uring.c:2613
io_ring_exit_work+0x80f/0x8a0 io_uring/io_uring.c:2844
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Vendor | Product | Version | CPE |
---|---|---|---|
linux | linux_kernel | 6.10 | cpe:2.3:o:linux:linux_kernel:6.10:-:*:*:*:*:*:* |
linux | linux_kernel | 6.10 | cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* |
linux | linux_kernel | 6.10 | cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:* |
linux | linux_kernel | 6.10 | cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:* |
linux | linux_kernel | 6.10 | cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:* |
linux | linux_kernel | 6.10 | cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:* |
linux | linux_kernel | 6.10 | cpe:2.3:o:linux:linux_kernel:6.10:rc6:*:*:*:*:*:* |
linux | linux_kernel | 6.10 | cpe:2.3:o:linux:linux_kernel:6.10:rc7:*:*:*:*:*:* |
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"io_uring/kbuf.c"
],
"versions": [
{
"version": "87585b05757d",
"lessThan": "68d19af95a35",
"status": "affected",
"versionType": "git"
},
{
"version": "87585b05757d",
"lessThan": "bcc87d978b83",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"io_uring/kbuf.c"
],
"versions": [
{
"version": "6.10",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.10",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.10.1",
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.11",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]