DEBIAN-CVE-2022-50423

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2022-50423

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50423.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2022-50423

Upstream

CVE-2022-50423

Published

2025-10-01T12:15:33Z

Modified

2025-10-02T09:15:42.233142Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix use-after-free in acpiutcopyipackagetoipackage() There is an use-after-free reported by KASAN: BUG: KASAN: use-after-free in acpiutremovereference+0x3b/0x82 Read of size 1 at addr ffff888112afc460 by task modprobe/2111 CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), Call Trace: <TASK> kasanreport+0xae/0xe0 acpiutremovereference+0x3b/0x82 acpiutcopyiobjecttoiobject+0x3be/0x3d5 acpidsstoreobjecttolocal+0x15d/0x3a0 acpiexstore+0x78d/0x7fd acpiexopcode1A1T1R+0xbe4/0xf9b acpipsparseaml+0x217/0x8d5 ... </TASK> The root cause of the problem is that the acpioperandobject is freed when acpiutwalkpackagetree() fails in acpiutcopyipackagetoipackage(), lead to repeated release in acpiutcopyiobjecttoiobject(). The problem was introduced by "8aa5e56eeb61" commit, this commit is to fix memory leak in acpiutcopyiobjecttoiobject(), repeatedly adding remove operation, lead to "acpioperandobject" used after free. Fix it by removing acpiutremovereference() in acpiutcopyipackagetoipackage(). acpiutcopyipackagetoipackage() is called to copy an internal package object into another internal package object, when it fails, the memory of acpioperandobject should be freed by the caller.

References

https://security-tracker.debian.org/tracker/CVE-2022-50423

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.178-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}