{"id":"ASB-A-231494876","details":"In fs, there is a possible use-after-free due to a race condition in io_uring timeouts. This could lead to local escalation of privileges with no additional execution privileges needed. User interaction is not needed for exploitation","aliases":["A-231494876","CVE-2022-29582"],"modified":"2026-03-11T06:19:28.834185Z","published":"2022-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-09-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/4b895c556fa46acaa95bf27c95e4f9449ff4d17a"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2022-09-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/kernel/common/+/4b895c556fa46acaa95bf27c95e4f9449ff4d17a"],"types":["EoP"],"severity":"High","vanir_signatures":[{"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/4b895c556fa46acaa95bf27c95e4f9449ff4d17a","id":"ASB-A-231494876-3c10ab71","digest":{"length":617,"function_hash":"43074021457514687395697517183641958809"},"signature_version":"v1","deprecated":false,"target":{"file":"fs/io_uring.c","function":"io_flush_timeouts"}},{"signature_type":"Line","source":"https://android.googlesource.com/kernel/common/+/4b895c556fa46acaa95bf27c95e4f9449ff4d17a","id":"ASB-A-231494876-72f1a540","digest":{"line_hashes":["166213164905616798442702210715135217555","38034881214551463394167694264457392786","298542725374194033207080765061799153352","284689179035732435108245531252381961948","286787944774332086122372438930331685845","326686575877694277524474573323978279554","306345494754606848400784569904314576684","211432475309786876401950240481754390093","104285536753074518661356789773234767091","36068795037626440509808809136235567104","9373411352586735479019573266403788983","114763145292153712131505117664994001068","32125398790148285527765954021142472167","76613512002614825014852177185782788614","330526412364070490882544705275012451583","136742949318375340781908705800389189714","109622292302761488033628072790733865073","200137944223419748202476380241281925103","20400196363749282624638362549130139128","2877787691440934636922516567433787222","166531141786651239751160552142163579673","214967927159089070819298592580579027972","316072444620923174271744297855646342359","266309978127272310547281358981072485831","29666768274152184127590583953305652942","305116825448308969505468737967983900159","139631206780381122850498719802233854674","172401547407543424648223052855122691790"],"threshold":0.9},"signature_version":"v1","deprecated":false,"target":{"file":"fs/io_uring.c"}},{"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/4b895c556fa46acaa95bf27c95e4f9449ff4d17a","id":"ASB-A-231494876-aea939c2","digest":{"length":882,"function_hash":"34908908615115264513526277678453656086"},"signature_version":"v1","deprecated":false,"target":{"file":"fs/io_uring.c","function":"io_timeout_prep"}},{"signature_type":"Function","source":"https://android.googlesource.com/kernel/common/+/4b895c556fa46acaa95bf27c95e4f9449ff4d17a","id":"ASB-A-231494876-d5578fe6","digest":{"length":703,"function_hash":"250832103600064856629235858201995071592"},"signature_version":"v1","deprecated":false,"target":{"file":"fs/io_uring.c","function":"io_link_timeout_fn"}}],"spl":"2022-09-05"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-231494876.json"}}],"schema_version":"1.7.5"}