In the Linux kernel an improper update of reference count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count. Fixed files are permanently registered to the ring, and should not be put separately. Upstream fix: https://kernel.dance/#fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679
This was fixed for Fedora with the 5.19.11 stable kernel updates.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3910