CVE-2022-2959: Linux Kernel privilege escalation vulnerability

Security researcher Selim Enes Karaduman (@Enesdex) has found a privilege escalation vulnerability in the Linux kernel that can be exploited by a local attacker for privilege escalation.

The security flaw provides a local user with access to a vulnerable privileged driver with the ability to execute low-privileged code on the target system to “trigger a notification in the watch queue, calling post_one_notification() and accessing the freed pipe buffer“. Tracked as CVE-2022-2959, the vulnerability could be exploited to crash the system or escalate local privileges.

The bug exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object.

According to an advisory published by RedHat, “A race condition was found in the Linux kernel’s watch queue due to a missing lock in the pipe_resize_ring(). The race condition occurs when a thread uses ioctl(IOC_WATCH_QUEUE_SET_SIZE) to resize the pipe buffer and free the old pipe buffer, while another thread uses keyctl() to trigger a notification in the watch queue, calling post_one_notification() and accessing the freed pipe buffer.”

CVE-2022-2959 (CVSS score: 7.8) affects Linux kernel 5.18. RedHat confirms that this flaw doesn’t affect Red Hat Enterprise Linux 6, 7, and 8.

The vulnerability was disclosed to the Linux Kernel on May 25. Linux has issued an update to correct this vulnerability. Administrators are advised to apply the appropriate updates on their Linux distributions as soon as they receive them from their respective distros. They’re also recommended to allow only trusted users to access local systems and always monitor affected systems.