DEBIAN-CVE-2022-50241

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2022-50241
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50241.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-50241
Upstream
Published
2025-09-15T14:15:34Z
Modified
2025-09-30T05:16:00.788625Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: NFSD: fix use-after-free on source server when doing inter-server copy Use-after-free occurred when the laundromat tried to free expired cpntfstate entry on the s2scpstateids list after inter-server copy completed. The sccplist that the expired copy state was inserted on was already freed. When COPY completes, the Linux client normally sends LOCKU(lockstate x), FREESTATEID(lockstate x) and CLOSE(openstate y) to the source server. The nfs4putstid call from nfsd4freestateid cleans up the copy state from the s2scpstateids list before freeing the lock state's stid. However, sometimes the CLOSE was sent before the FREESTATEID request. When this happens, the nfsd4closeopenstateid call from nfsd4close frees all lock states on its stlocks list without cleaning up the copy state on the sccplist list. When the time the FREESTATEID arrives the server returns BADSTATEID since the lock state was freed. This causes the use-after-free error to occur when the laundromat tries to free the expired cpntfstate. This patch adds a call to nfs4freecpntfstatelist in nfsd4closeopenstateid to clean up the copy state before calling freeolstateid_reaplist to free the lock state's stid on the reaplist.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.158-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}