cve/2022/CVE-2022-4696.md

### [CVE-2022-4696](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4696)
![](https://img.shields.io/static/v1?label=Product&message=Linux%20Kernel&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%205.7-rc1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-763%20Release%20of%20Invalid%20Pointer%20or%20Reference&color=brighgreen)

### Description

There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2022-4696](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4696)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux%20Kernel&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%205.7-rc1%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-763%20Release%20of%20Invalid%20Pointer%20or%20Reference&color=brighgreen)`

			`### Description`

			There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`