{"id":"CVE-2022-49085","summary":"drbd: Fix five use after free bugs in get_initial_state","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: Fix five use after free bugs in get_initial_state\n\nIn get_initial_state, it calls notify_initial_state_done(skb,..) if\ncb-\u003eargs[5]==1. If genlmsg_put() failed in notify_initial_state_done(),\nthe skb will be freed by nlmsg_free(skb).\nThen get_initial_state will goto out and the freed skb will be used by\nreturn value skb-\u003elen, which is a uaf bug.\n\nWhat's worse, the same problem goes even further: skb can also be\nfreed in the notify_*_state_change -\u003e notify_*_state calls below.\nThus 4 additional uaf bugs happened.\n\nMy patch lets the problem callee functions: notify_initial_state_done\nand notify_*_state_change return an error code if errors happen.\nSo that the error codes could be propagated and the uaf bugs can be avoid.\n\nv2 reports a compilation warning. This v3 fixed this warning and built\nsuccessfully in my local environment with no additional warnings.\nv2: https://lore.kernel.org/patchwork/patch/1435218/","modified":"2026-04-02T08:27:17.162070Z","published":"2025-02-26T01:54:43.579Z","related":["SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1194-1","SUSE-SU-2025:1241-1","SUSE-SU-2025:1263-1","SUSE-SU-2025:1293-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49085.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0489700bfeb1e53eb2039c2291c67e71b0b40103"},{"type":"WEB","url":"https://git.kernel.org/stable/c/188fe6b26765edbad4055611c0f788b6870f4024"},{"type":"WEB","url":"https://git.kernel.org/stable/c/226e993c39405292781bfcf4b039a8db56aab362"},{"type":"WEB","url":"https://git.kernel.org/stable/c/594205b4936771a250f9d141e7e0fff21c3dd2d9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a972c768723359ec995579902473028fe3cd64b1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aadb22ba2f656581b2f733deb3a467c48cc618f6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b6a4055036eed1f5e239ce3d8b0db1ce38bba447"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dcf6be17b5c53b741898d2223b23e66d682de300"},{"type":"WEB","url":"https://git.kernel.org/stable/c/de63e74da2333b4068bb79983e632db730fea97e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49085.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49085"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a29728463b254ce81ecefdf20c1a02e01d9361da"},{"fixed":"0489700bfeb1e53eb2039c2291c67e71b0b40103"},{"fixed":"dcf6be17b5c53b741898d2223b23e66d682de300"},{"fixed":"188fe6b26765edbad4055611c0f788b6870f4024"},{"fixed":"b6a4055036eed1f5e239ce3d8b0db1ce38bba447"},{"fixed":"594205b4936771a250f9d141e7e0fff21c3dd2d9"},{"fixed":"a972c768723359ec995579902473028fe3cd64b1"},{"fixed":"de63e74da2333b4068bb79983e632db730fea97e"},{"fixed":"226e993c39405292781bfcf4b039a8db56aab362"},{"fixed":"aadb22ba2f656581b2f733deb3a467c48cc618f6"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49085.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}