CVE-2022-1976: 
CBL Mariner vulnerability analysis and mitigation

A flaw was discovered in the Linux kernel's implementation of IO-URING (CVE-2022-1976). The vulnerability was reported on May 31, 2022, and allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw within the kernel. This vulnerability affects Linux kernel versions prior to 5.19 (NVD, CVE).

The vulnerability is classified as a use-after-free flaw (CWE-416) in the _lockacquire function. The issue stems from incorrect inflight tracking for file types that have iouringfops, which can lead to trivial circular references preventing ctx cleanup and causing memory leaks. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, NetApp Advisory).

The successful exploitation of this vulnerability can lead to memory corruption and possible privilege escalation. The issue results in memory corruption and could potentially allow attackers to escalate their privileges on the affected system (CVE, Openwall).

The vulnerability was fixed in Linux kernel version 5.19-rc1 through a patch that was merged into the Linux kernel mainline and stable-master tree. The fix can be found in the commit 9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7 (Openwall, RedHat Bugzilla).