CVE-2022-23090

Summary

The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case.

An attacker may cause the reference count to overflow, leading to a use after free (UAF).

Affected Software

VendorProductVersion RangeStatus
FreeBSDFreeBSD13.1-RELEASE < p1affected
FreeBSDFreeBSD13.0-RELEASE < p12affected
FreeBSDFreeBSD12.3-RELEASE < p6affected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References