Race Condition Affecting perf package, versions <0:5.14.0-162.6.1.el9_1


Severity

Recommended
0.0
medium
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.05% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CENTOS9-PERF-9121086
  • published5 Mar 2025
  • disclosed26 Feb 2025

Introduced: 26 Feb 2025

CVE-2022-49698  (opens in a new tab)
CWE-362  (opens in a new tab)

How to fix?

Upgrade Centos:9 perf to version 0:5.14.0-162.6.1.el9_1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream perf package and not the perf package as distributed by Centos. See How to fix? for Centos:9 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

netfilter: use get_random_u32 instead of prandom

bh might occur while updating per-cpu rnd_state from user context, ie. local_out path.

BUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725 caller is nft_ng_random_eval+0x24/0x54 [nft_numgen] Call Trace: check_preemption_disabled+0xde/0xe0 nft_ng_random_eval+0x24/0x54 [nft_numgen]

Use the random driver instead, this also avoids need for local prandom state. Moreover, prandom now uses the random driver since d4150779e60f ("random32: use real rng for non-deterministic randomness").

Based on earlier patch from Pablo Neira.

CVSS Base Scores

version 3.1