Vulnerability Details : CVE-2022-4744
A double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system.
Vulnerability category: Memory Corruption
Products affected by CVE-2022-4744
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-4744
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-4744
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2022-4744
-
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Assigned by: nvd@nist.gov (Primary)
-
The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.Assigned by: secalert@redhat.com (Secondary)
-
The product accesses or uses a pointer that has not been initialized.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2022-4744
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html
[SECURITY] [DLA 3403-1] linux security updateMailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/171912/CentOS-Stream-9-Missing-Kernel-Security-Fix.html
CentOS Stream 9 Missing Kernel Security Fix ≈ Packet StormThird Party Advisory;VDB Entry
-
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=158b515f703e
kernel/git/netdev/net.git - Netdev Group's networking treeVendor Advisory
-
https://security.netapp.com/advisory/ntap-20230526-0009/
CVE-2022-4744 Linux Kernel Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
Jump to