Recently, Redhat issued a risk notice for the Linux Kernel local privilege escalation vulnerability, the vulnerability tracked as CVE-2022-3910 (CVSS score: 7.4). This flaw is a use-after-free bug that exists on the Update of Reference Count in io_uring.
io_uring is a system call interface for Linux. It was first introduced in upstream Linux Kernel version 5.1 in 2019. It enables an application to initiate system calls that can be performed asynchronously.
In the Linux kernel, an improper update of reference count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count. Fixed files are permanently registered to the ring, and should not be put separately.
“When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation),” read the RedHat website.
The CVE-2022-3910 flaw was fixed in the Linux kernel via this commit. At present, Linux kernel maintainers have officially issued security patches. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available. They’re also recommended to allow only trusted users to access local systems and always monitor affected systems.
