Bug 1202574 - (CVE-2022-2526) VUL-0: CVE-2022-2526: systemd: systemd-resolved: use-after-free when dealing with DnsStream in resolved-dns-stream.c
VUL-0: CVE-2022-2526: systemd: systemd-resolved: use-after-free when dealing ...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: 1203000
  Show dependency treegraph
Reported: 2022-08-19 14:52 UTC by Alexander Bergmann
Modified: 2022-09-14 12:04 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-08-19 14:52:23 UTC

systemd-resolved is susceptible to a Use After Free (UAF) vulnerability in how DNS packets are handled. Functions such as on_stream_io and dns_stream_complete in resolved-dns-stream.c do not increment the reference counting for the DnsStream object they are working on. Other functions and callbacks called there (e.g. on_llmnr_stream_packet) could unreference the DnsStream object, causing a Use After Free when the reference is still used later.

Upstream patch:

Comment 1 Alexander Bergmann 2022-08-19 14:53:26 UTC
This is fixed since v240. So everything <= SUSE:SLE-15:Update is affected.
Comment 2 Franck Bui 2022-08-22 12:47:24 UTC
None of the SLE distros ships systemd-resolved.

IIRC Leap started shipping systemd-resolved since 15.3, which uses v246.

So I don't think we need to fix this issue.

Alexander, could you confirm ?
Comment 3 Hu Xiaoyu 2022-09-03 13:22:25 UTC
Our customer would like to know if this CVE affect our SLE product because it shows "affected" from "https://www.suse.com/security/cve/CVE-2022-2526.html". Could you help to confirm it and update the status? 
Many thanks!
Comment 4 Gabriele Sonnu 2022-09-14 12:04:54 UTC
As Frank said in comment 2, we don't ship the affected component (systemd-resolved) in SLE, so we aren't affected.