Search for vulnerabilities
| Vulnerability ID | VCID-tqsm-2e4k-aycp |
| Aliases |
CVE-2022-22942
|
| Summary | kernel: failing usercopy allows for use-after-free exploitation |
| Status | Published |
| Exploitability | 2.0 |
| Weighted Severity | 6.3 |
| Risk | 10.0 |
| Affected and Fixed Packages | Package Details |
| CWE-416 | Use After Free |
| System | Score | Found at |
|---|---|---|
| cvssv3 | 7.0 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22942.json |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| epss | 0.13534 | https://api.first.org/data/v1/epss?cve=CVE-2022-22942 |
| cvssv3.1 | 7 | https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml |
| Data source | Metasploit |
|---|---|
| Description | If the vmwgfx driver fails to copy the 'fence_rep' object to userland, it tries to recover by deallocating the (already populated) file descriptor. This is wrong, as the fd gets released via put_unused_fd() which shouldn't be used, as the fd table slot was already populated via the previous call to fd_install(). This leaves userland with a valid fd table entry pointing to a free'd 'file' object. We use this bug to overwrite a SUID binary with our payload and gain root. Linux kernel 4.14-rc1 - 5.17-rc1 are vulnerable. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic. |
| Note | Stability: - crash-os-down Reliability: - repeatable-session SideEffects: - artifacts-on-disk - ioc-in-logs |
| Ransomware campaign use | Unknown |
| Source publication date | Jan. 28, 2022 |
| Platform | Linux |
| Source URL | https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/local/vmwgfx_fd_priv_esc.rb |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.94191 |
| EPSS Score | 0.13534 |
| Published At | April 2, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-01T13:59:47.660250+00:00 | RedHat Importer | Import | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22942.json | 38.0.0 |