Bug 2093146 (CVE-2022-1966)

Summary: CVE-2022-1966 kernel: netfilter: nf_tables: incorrect NFT_STATEFUL_EXPR check leads to a use-after-free (write)
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, brdeoliv, bskeggs, chwhite, crwood, ddepaula, dfreiber, dhoward, doconnor, drow, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, steved, teagle, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A use-after-free vulnerability has been identified in the Linux Kernel's netfilter subsystem that did not properly handle the removal of stateful expressions in some situations. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-03 07:36:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2093147    

Description TEJ RATHI 2022-06-03 06:10:24 UTC 
net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

https://www.openwall.com/lists/oss-security/2022/05/31/1
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/net/netfilter?id=520778042ccca019f3ffa136dd0ca565c486cedd
Comment 1 Rohit Keshri 2022-06-03 07:36:04 UTC 

*** This bug has been marked as a duplicate of bug 2092427 ***