VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 14, 2022· Updated Sep 24, 2024

CVE-2022-21504

CVE-2022-21504

Description

The code in UEK6 U3 was missing an appropiate file descriptor count to be missing. This resulted in a use count error that allowed a file descriptor to a socket to be closed and freed while it was still in use by another portion of the kernel. An attack with local access can operate on the socket, and cause a denial of service. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"The kernel code was missing an appropriate file descriptor count, leading to a use-after-free error."

Attack vector

A local attacker with low privileges can trigger this vulnerability. The attacker needs to operate on a socket file descriptor that is still in use by another part of the kernel. By manipulating this file descriptor, the attacker can cause a denial of service.

Affected code

The vulnerability exists in the `__close_fd_get_file()` function within the kernel's file descriptor handling. Specifically, the change in `fs: move filp_close() outside of __close_fd_get_file()` addresses the incorrect ordering of operations related to closing file descriptors and obtaining file structures [ref_id=1].

What the fix does

The patch moves the call to `filp_close()` outside of the `__close_fd_get_file()` function [ref_id=1]. Previously, `__close_fd_get_file()` would return a file descriptor that was already closed by `filp_close()`. The change ensures that `filp_close()` is called only after the file descriptor is no longer needed by other kernel components, preventing the use-after-free condition.

Preconditions

  • authThe attacker must have local access and low privileges.
  • inputThe attacker must be able to operate on a socket file descriptor.

Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.