Vulnerabilities > CVE-2022-0646 - Use After Free vulnerability in multiple products

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

linux

netapp

CWE-416

NVD

Published: 2022-02-18

Updated: 2023-11-09

Summary

A flaw use after free in the Linux kernel Management Component Transport Protocol (MCTP) subsystem was found in the way user triggers cancel_work_sync after the unregister_netdev during removing device. A local user could use this flaw to crash the system or escalate their privileges on the system. It is actual from Linux Kernel 5.17-rc1 (when mctp-serial.c introduced) till 5.17-rc5.

Vulnerable Configurations

Part	Description	Count
OS	Linux Linux Linux Kernel 5.17	5
OS	Netapp Netapp H410C Firmware - Netapp H300S Firmware - Netapp H500S Firmware - Netapp H700S Firmware - Netapp H300E Firmware - Netapp H500E Firmware - Netapp H700E Firmware - Netapp H410S Firmware -	8
Hardware	Netapp Netapp H410C - Netapp H300S - Netapp H500S - Netapp H700S - Netapp H300E - Netapp H500E - Netapp H700E - Netapp H410S -	8

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References