2373693 – (CVE-2022-50095) CVE-2022-50095 kernel: posix-cpu-timers: Cleanup CPU timers before freeing them during exec

Bug 2373693 (CVE-2022-50095) - CVE-2022-50095 kernel: posix-cpu-timers: Cleanup CPU timers before freeing them during exec

Summary: CVE-2022-50095 kernel: posix-cpu-timers: Cleanup CPU timers before freeing th...

Keywords:
Status:	NEW
Alias:	CVE-2022-50095
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-18 12:14 UTC by OSIDB Bzimport
Modified:	2025-06-18 17:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-18 12:14:07 UTC

In the Linux kernel, the following vulnerability has been resolved:

posix-cpu-timers: Cleanup CPU timers before freeing them during exec

Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a
task") started looking up tasks by PID when deleting a CPU timer.

When a non-leader thread calls execve, it will switch PIDs with the leader
process. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find
the task because the timer still points out to the old PID.

That means that armed timers won't be disarmed, that is, they won't be
removed from the timerqueue_list. exit_itimers will still release their
memory, and when that list is later processed, it leads to a
use-after-free.

Clean up the timers from the de-threaded task before freeing them. This
prevents a reported use-after-free.

Comment 1 Avinash Hanwate 2025-06-18 16:00:25 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025061802-CVE-2022-50095-981c@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.