A UAF flaw in Linux Kernel found in pipes functionality. The problem located in function free_pipe_info of the fs/pipe.c. When a pipe node is freed, it doesn't make pipe->watch_queue->pipe null. When function post_one_notification is called, it will use this field, but it has been freed and watch_queue->pipe is a dangling pointer. The problem was introduced since commit db8facfc9fafacefe8a835 "watch_queue, pipe: Free watchqueue state after clearing pipe ring". Reference: https://git.kernel.org/linus/353f7988dd8413c4
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2090381]
This was fixed for Fedora with the 5.18.15 stable kernel updates.
*** Bug 2106777 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2148 https://access.redhat.com/errata/RHSA-2023:2148
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2458 https://access.redhat.com/errata/RHSA-2023:2458
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1882