{"id":"CVE-2022-2526","details":"A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.","modified":"2026-04-11T22:01:30.409718Z","published":"2022-09-09T15:15:10.107Z","related":["ALSA-2022:6206"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20221111-0005/"},{"type":"FIX","url":"https://github.com/systemd/systemd/commit/d973d94dec349fb676fdd844f6fe2ada3538f27c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/systemd/systemd","events":[{"introduced":"0"},{"last_affected":"1742aae2aa8cd33897250d6fcfbe10928e43eb2f"},{"fixed":"d973d94dec349fb676fdd844f6fe2ada3538f27c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"240"}]}}],"versions":["v1","v10","v11","v12","v13","v14","v15","v16","v17","v18","v183","v184","v185","v186","v187","v188","v189","v19","v190","v191","v192","v193","v194","v195","v196","v197","v198","v199","v2","v20","v200","v201","v202","v203","v204","v205","v206","v207","v208","v209","v21","v210","v211","v212","v213","v214","v215","v216","v217","v218","v219","v22","v220","v221","v222","v223","v224","v225","v226","v227","v228","v229","v23","v230","v231","v232","v233","v234","v235","v236","v237","v238","v239","v24","v240","v25","v26","v27","v28","v29","v3","v30","v31","v32","v33","v34","v35","v36","v37","v38","v39","v4","v40","v41","v42","v43","v44","v5","v6","v7","v8","v9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2526.json","vanir_signatures_modified":"2026-04-11T22:01:30Z","vanir_signatures":[{"id":"CVE-2022-2526-0518585b","source":"https://github.com/systemd/systemd/commit/d973d94dec349fb676fdd844f6fe2ada3538f27c","target":{"function":"on_stream_io","file":"src/resolve/resolved-dns-stream.c"},"signature_type":"Function","digest":{"function_hash":"208401693791038653337512553355040068330","length":4329},"signature_version":"v1","deprecated":false},{"id":"CVE-2022-2526-3d277f7d","source":"https://github.com/systemd/systemd/commit/d973d94dec349fb676fdd844f6fe2ada3538f27c","target":{"function":"dns_stream_complete","file":"src/resolve/resolved-dns-stream.c"},"signature_type":"Function","digest":{"function_hash":"165753356205743956457529010201804762870","length":358},"signature_version":"v1","deprecated":false},{"id":"CVE-2022-2526-7591cea9","source":"https://github.com/systemd/systemd/commit/d973d94dec349fb676fdd844f6fe2ada3538f27c","target":{"file":"src/resolve/resolved-dns-stream.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["24244502987640347669429748297519997487","305861172124080797233263628752068476767","201898119636995375130900012674839025850","243976609872396757423323106453765157402","25033070272748089651412234795692720617","4749797598595707144303836668512376180","102934075727237860555720616686638501394","89242042041014859283960974229838224291"]},"signature_version":"v1","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}