Cyber Resilience

CVE-2022-49059

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49059 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49059 is a use-after-free vulnerability in the Linux kernel's NFC NCI (Near Field Communication NCI) subsystem. The issue arises from a race condition during NCI device detachment, where concurrent execution between a delayed timer mechanism and workqueue scheduling allows a freed NCI device structure to be accessed. Specifically, in nci_unregister_device(), del_timer_sync() is called on cmd_timer followed by kfree(ndev), but a concurrent worker thread executing nci_cmd_work() can invoke mod_timer() on the already-freed timer, leading to the UAF. This affects Linux kernel versions prior to the application of the relevant stable patches, as demonstrated by a KASAN crash trace in kernel 5.18.0-rc2.

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity (AV:L/AC:L/PR:L). Exploitation involves racing nci_unregister_device() (triggered via device close paths like tty release) against nci_dev_up() and nci_open_device() sequences that queue work and modify the timer. Successful exploitation results in a kernel crash, as shown in the provided POC crash trace involving enqueue_timer() writing to a freed address, enabling denial of service. The CVSS v3.1 score of 7.8 (C:H/I:H/A:H) indicates potential for high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution via the UAF.

Mitigation requires applying upstream Linux kernel stable patches, such as those in commits 1a1748d0dd0f0a98535c6baeef671c8722107639, 5c63ad2b0a267a524c12c88acb1ba9c2d109a801, 67677050cecbe0edfdd81cd508415e9636ba7c65, 7d3232214ca4ea8f7d18df264c3b254aa8089d7f, and 9d243aff5f7e6b04e907c617426bbdf26e996ac8. These patches add flush_workqueue() calls to ensure workqueue draining before device cleanup, preventing the timer re-armament race and UAF. Systems using NFC NCI drivers, such as nfcmrvl_nci over UART, should update to patched kernels.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: add flush_workqueue to prevent uaf Our detector found a concurrent use-after-free bug when detaching an NCI device. The main reason for this bug is the unexpected scheduling between…

more

the used delayed mechanism (timer and workqueue). The race can be demonstrated below: Thread-1 Thread-2 | nci_dev_up() | nci_open_device() | __nci_request(nci_reset_req) | nci_send_cmd | queue_work(cmd_work) nci_unregister_device() | nci_close_device() | ... del_timer_sync(cmd_timer)[1] | ... | Worker nci_free_device() | nci_cmd_work() kfree(ndev)[3] | mod_timer(cmd_timer)[2] In short, the cleanup routine thought that the cmd_timer has already been detached by [1] but the mod_timer can re-attach the timer [2], even it is already released [3], resulting in UAF. This UAF is easy to trigger, crash trace by POC is like below [ 66.703713] ================================================================== [ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490 [ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33 [ 66.703974] [ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5 [ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work [ 66.703974] Call Trace: [ 66.703974] <TASK> [ 66.703974] dump_stack_lvl+0x57/0x7d [ 66.703974] print_report.cold+0x5e/0x5db [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] kasan_report+0xbe/0x1c0 [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] enqueue_timer+0x448/0x490 [ 66.703974] __mod_timer+0x5e6/0xb80 [ 66.703974] ? mark_held_locks+0x9e/0xe0 [ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410 [ 66.703974] ? queue_work_on+0x61/0x80 [ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130 [ 66.703974] process_one_work+0x8bb/0x1510 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230 [ 66.703974] ? rwlock_bug.part.0+0x90/0x90 [ 66.703974] ? _raw_spin_lock_irq+0x41/0x50 [ 66.703974] worker_thread+0x575/0x1190 [ 66.703974] ? process_one_work+0x1510/0x1510 [ 66.703974] kthread+0x2a0/0x340 [ 66.703974] ? kthread_complete_and_exit+0x20/0x20 [ 66.703974] ret_from_fork+0x22/0x30 [ 66.703974] </TASK> [ 66.703974] [ 66.703974] Allocated by task 267: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] __kasan_kmalloc+0x81/0xa0 [ 66.703974] nci_allocate_device+0xd3/0x390 [ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0 [ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd [ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0 [ 66.703974] tty_ioctl+0x764/0x1310 [ 66.703974] __x64_sys_ioctl+0x122/0x190 [ 66.703974] do_syscall_64+0x3b/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 66.703974] [ 66.703974] Freed by task 406: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] kasan_set_track+0x21/0x30 [ 66.703974] kasan_set_free_info+0x20/0x30 [ 66.703974] __kasan_slab_free+0x108/0x170 [ 66.703974] kfree+0xb0/0x330 [ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0 [ 66.703974] nci_uart_tty_close+0xdf/0x180 [ 66.703974] tty_ldisc_kill+0x73/0x110 [ 66.703974] tty_ldisc_hangup+0x281/0x5b0 [ 66.703974] __tty_hangup.part.0+0x431/0x890 [ 66.703974] tty_release+0x3a8/0xc80 [ 66.703974] __fput+0x1f0/0x8c0 [ 66.703974] task_work_run+0xc9/0x170 [ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0 [ 66.703974] syscall_exit_to_user_mode+0x19/0x50 [ 66.703974] do_syscall_64+0x48/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0x ---truncated---

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

UAF race in kernel NFC NCI enables local privilege escalation via arbitrary code execution or targeted kernel crash/DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31419Same product: Linux Linux Kernel
CVE-2025-21883Same product: Linux Linux Kernel
CVE-2022-49196Same product: Linux Linux Kernel
CVE-2026-43056Same product: Linux Linux Kernel
CVE-2025-21791Same product: Linux Linux Kernel
CVE-2022-49129Same product: Linux Linux Kernel
CVE-2025-21751Same product: Linux Linux Kernel
CVE-2026-31511Same product: Linux Linux Kernel
CVE-2026-23171Same product: Linux Linux Kernel
CVE-2026-31580Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.18 · 3.2 — 4.9.311 · 4.10 — 4.14.276 · 4.15 — 4.19.239

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of known flaws by applying Linux kernel patches that add flush_workqueue to drain workqueues before NCI device cleanup, directly preventing the UAF race condition.

detect

Vulnerability scanning periodically identifies kernel versions affected by CVE-2022-49059, enabling proactive patching to mitigate the NFC NCI UAF vulnerability.

prevent

Establishes secure kernel configuration settings that can disable unnecessary NFC drivers or enforce hardening parameters to reduce exposure to the device detachment race condition.

References