CVE-2022-50095

posix-cpu-timers: Cleanup CPU timers before freeing them during exec

Description

In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: Cleanup CPU timers before freeing them during exec Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task") started looking up tasks by PID when deleting a CPU timer. When a non-leader thread calls execve, it will switch PIDs with the leader process. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find the task because the timer still points out to the old PID. That means that armed timers won't be disarmed, that is, they won't be removed from the timerqueue_list. exit_itimers will still release their memory, and when that list is later processed, it leads to a use-after-free. Clean up the timers from the de-threaded task before freeing them. This prevents a reported use-after-free.

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/541840859ace9c2ccebc32fa9e376c7bd3def490
https://git.kernel.org/stable/c/9e255ed238fc67058df87b0388ad6d4b2ef3a2bd
https://git.kernel.org/stable/c/e8cb6e8fd9890780f1bfcf5592889e1b879e779c
https://git.kernel.org/stable/c/b2fc1723eb65abb83e00d5f011de670296af0b28
https://git.kernel.org/stable/c/e362359ace6f87c201531872486ff295df306d13

Frequently Asked Questions

What is the severity of CVE-2022-50095?
CVE-2022-50095 has not yet been assigned a CVSS score.
How to fix CVE-2022-50095?
To fix CVE-2022-50095, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-50095 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-50095 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-50095?
CVE-2022-50095 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.