CVE-2022-28893: 
Linux Kernel vulnerability analysis and mitigation

The SUNRPC subsystem in the Linux kernel through version 5.17.2 contains a use-after-free vulnerability (CVE-2022-28893) discovered by Felix Fu. The vulnerability occurs when the system calls xsxprtfree before ensuring that sockets are in the intended state, leading to potential security issues (OSS Security).

The vulnerability stems from a use-after-free condition that occurs in the inetputport function because some sockets are not properly closed before xsxprtfree() is called. The issue affects the Remote Procedure Call (SunRPC) protocol implementation in the Linux kernel. The vulnerability has been assigned a CVSS score of 7.8 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Security).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability affects various Linux kernel versions up to 5.17.2 and has implications for systems using the SUNRPC subsystem (NetApp Security).

The issue has been fixed in various Linux distributions. For Debian's stable distribution (bullseye), the fix was implemented in version 5.10.120-1. Ubuntu has also released fixes for affected versions, including version 5.15.0-43.46 for 22.04 LTS and 5.4.0-124.140 for 20.04 LTS (Debian Security, Ubuntu Security).

The vulnerability was initially reported by Felix Fu and discussed on the oss-security mailing list. Greg KH, a prominent Linux kernel maintainer, provided additional context about the fix implementation. The security community has classified this as a significant vulnerability due to its potential impact on system security (OSS Security).