GHSA-99WC-552W-7M28
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-18 03:31In the Linux kernel, the following vulnerability has been resolved:
posix-cpu-timers: Cleanup CPU timers before freeing them during exec
Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task") started looking up tasks by PID when deleting a CPU timer.
When a non-leader thread calls execve, it will switch PIDs with the leader process. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find the task because the timer still points out to the old PID.
That means that armed timers won't be disarmed, that is, they won't be removed from the timerqueue_list. exit_itimers will still release their memory, and when that list is later processed, it leads to a use-after-free.
Clean up the timers from the de-threaded task before freeing them. This prevents a reported use-after-free.
{
"affected": [],
"aliases": [
"CVE-2022-50095"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:38Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: Cleanup CPU timers before freeing them during exec\n\nCommit 55e8c8eb2c7b (\"posix-cpu-timers: Store a reference to a pid not a\ntask\") started looking up tasks by PID when deleting a CPU timer.\n\nWhen a non-leader thread calls execve, it will switch PIDs with the leader\nprocess. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find\nthe task because the timer still points out to the old PID.\n\nThat means that armed timers won\u0027t be disarmed, that is, they won\u0027t be\nremoved from the timerqueue_list. exit_itimers will still release their\nmemory, and when that list is later processed, it leads to a\nuse-after-free.\n\nClean up the timers from the de-threaded task before freeing them. This\nprevents a reported use-after-free.",
"id": "GHSA-99wc-552w-7m28",
"modified": "2025-11-18T03:31:14Z",
"published": "2025-06-18T12:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50095"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/541840859ace9c2ccebc32fa9e376c7bd3def490"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9e255ed238fc67058df87b0388ad6d4b2ef3a2bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2fc1723eb65abb83e00d5f011de670296af0b28"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e362359ace6f87c201531872486ff295df306d13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e8cb6e8fd9890780f1bfcf5592889e1b879e779c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.