CVE-2022-49014

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.1.0-rc5-syzkaller-00044-gcc675d22e422

Description The issue is related to a use-after-free vulnerability in the tun detach() function of the Linux kernel's tun driver. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The cause of the issue is that sock put() from tun detach() drops the last reference count for struct net, and then notifier call chain() from netdev state change() accesses that struct net. The vulnerability can be triggered by a call trace like the one reported by syzbot, which includes a read of size 8 at a specific address by the syz-executor.0 task.

Recommendations To resolve the issue, apply the patch that fixes the use-after-free in tun detach() by calling sock put() from tun detach() after all necessary accesses for struct net have been done. As a temporary workaround, consider restricting access to the tun driver to minimize the risk of exploitation.