CVE-2022-3176

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to a use-after-free in io uring in the Linux kernel. The Signalfd poll() and binder poll() functions use a waitqueue whose lifetime is the current task, and it sends a POLLFREE notification to all waiters before the queue is freed. However, the io uring poll does not handle POLLFREE, allowing a use-after-free to occur if a signalfd or binder fd is polled with io uring poll, and the waitqueue gets freed.

Recommendations We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659 to resolve the issue. As a temporary workaround, consider disabling the use of io uring poll with signalfd or binder fd until a patch is available. Restrict access to the vulnerable io uring module to minimize the risk of exploitation. Avoid using the signalfd or binder fd in the affected io uring poll until the issue is resolved.