Fluid Attacks Database

Description

A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	systemd	>=0 <240-1	240-1
debian 11	systemd	>=0 <240-1	240-1
debian 13	systemd	>=0 <240-1	240-1
debian 14	systemd	>=0 <240-1	240-1
rpm rhel7	systemd	<0:219-78.el7_9.7	0:219-78.el7_9.7
rpm rhel8	systemd	<0:239-58.el8_6.4	0:239-58.el8_6.4
rpm rhel8.2	systemd	<0:239-31.el8_2.9	0:239-31.el8_2.9
rpm rhel8.4	systemd	<0:239-45.el8_4.12	0:239-45.el8_4.12

Aliases

1. CVE-2022-25262. NVD-2022-25263. OSV-DEBIAN-2022-25264. OSV-2022-25265. SECURITY-TRACKER-CVE-2022-2526

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.