CVE-2022-50677

Vulnerability

In the Linux kernel's IPMI subsystem, the function _ipmi_destroy_user() contains a use-after-free vulnerability. The function calls intf_free() which frees the intfintf` pointer, but then attempts to dereference that same pointer on the next line, leading to a use-after-free condition [1][2].

Exploitation

An attacker with local access and the ability to trigger the IPMI user destruction path could exploit this bug. The vulnerability is triggered during normal IPMI user cleanup, and no special privileges beyond the ability to interact with the IPMI interface are required. The use-after-free occurs when the freed memory is accessed, potentially allowing an attacker to corrupt kernel memory or execute arbitrary code.

Impact

Successful exploitation could lead to a denial of service (system crash or, in more severe cases, privilege escalation. The use-after-free can corrupt kernel memory, potentially allowing an attacker to gain elevated privileges or cause a system panic.

Mitigation

This vulnerability has been patched in the Linux kernel stable releases. Users should update to a kernel version containing the fix, which ensures that the intf pointer is not dereferenced after being freed [1][2].