CVE-2022-49059
Published: 26 February 2025
Summary
CVE-2022-49059 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49059 is a use-after-free vulnerability in the Linux kernel's NFC NCI (Near Field Communication NCI) subsystem. The issue arises from a race condition during NCI device detachment, where concurrent execution between a delayed timer mechanism and workqueue scheduling allows a freed NCI device structure to be accessed. Specifically, in nci_unregister_device(), del_timer_sync() is called on cmd_timer followed by kfree(ndev), but a concurrent worker thread executing nci_cmd_work() can invoke mod_timer() on the already-freed timer, leading to the UAF. This affects Linux kernel versions prior to the application of the relevant stable patches, as demonstrated by a KASAN crash trace in kernel 5.18.0-rc2.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity (AV:L/AC:L/PR:L). Exploitation involves racing nci_unregister_device() (triggered via device close paths like tty release) against nci_dev_up() and nci_open_device() sequences that queue work and modify the timer. Successful exploitation results in a kernel crash, as shown in the provided POC crash trace involving enqueue_timer() writing to a freed address, enabling denial of service. The CVSS v3.1 score of 7.8 (C:H/I:H/A:H) indicates potential for high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution via the UAF.
Mitigation requires applying upstream Linux kernel stable patches, such as those in commits 1a1748d0dd0f0a98535c6baeef671c8722107639, 5c63ad2b0a267a524c12c88acb1ba9c2d109a801, 67677050cecbe0edfdd81cd508415e9636ba7c65, 7d3232214ca4ea8f7d18df264c3b254aa8089d7f, and 9d243aff5f7e6b04e907c617426bbdf26e996ac8. These patches add flush_workqueue() calls to ensure workqueue draining before device cleanup, preventing the timer re-armament race and UAF. Systems using NFC NCI drivers, such as nfcmrvl_nci over UART, should update to patched kernels.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55145
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: add flush_workqueue to prevent uaf Our detector found a concurrent use-after-free bug when detaching an NCI device. The main reason for this bug is the unexpected scheduling between…
more
the used delayed mechanism (timer and workqueue). The race can be demonstrated below: Thread-1 Thread-2 | nci_dev_up() | nci_open_device() | __nci_request(nci_reset_req) | nci_send_cmd | queue_work(cmd_work) nci_unregister_device() | nci_close_device() | ... del_timer_sync(cmd_timer)[1] | ... | Worker nci_free_device() | nci_cmd_work() kfree(ndev)[3] | mod_timer(cmd_timer)[2] In short, the cleanup routine thought that the cmd_timer has already been detached by [1] but the mod_timer can re-attach the timer [2], even it is already released [3], resulting in UAF. This UAF is easy to trigger, crash trace by POC is like below [ 66.703713] ================================================================== [ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490 [ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33 [ 66.703974] [ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5 [ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work [ 66.703974] Call Trace: [ 66.703974] <TASK> [ 66.703974] dump_stack_lvl+0x57/0x7d [ 66.703974] print_report.cold+0x5e/0x5db [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] kasan_report+0xbe/0x1c0 [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] enqueue_timer+0x448/0x490 [ 66.703974] __mod_timer+0x5e6/0xb80 [ 66.703974] ? mark_held_locks+0x9e/0xe0 [ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410 [ 66.703974] ? queue_work_on+0x61/0x80 [ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130 [ 66.703974] process_one_work+0x8bb/0x1510 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230 [ 66.703974] ? rwlock_bug.part.0+0x90/0x90 [ 66.703974] ? _raw_spin_lock_irq+0x41/0x50 [ 66.703974] worker_thread+0x575/0x1190 [ 66.703974] ? process_one_work+0x1510/0x1510 [ 66.703974] kthread+0x2a0/0x340 [ 66.703974] ? kthread_complete_and_exit+0x20/0x20 [ 66.703974] ret_from_fork+0x22/0x30 [ 66.703974] </TASK> [ 66.703974] [ 66.703974] Allocated by task 267: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] __kasan_kmalloc+0x81/0xa0 [ 66.703974] nci_allocate_device+0xd3/0x390 [ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0 [ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd [ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0 [ 66.703974] tty_ioctl+0x764/0x1310 [ 66.703974] __x64_sys_ioctl+0x122/0x190 [ 66.703974] do_syscall_64+0x3b/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 66.703974] [ 66.703974] Freed by task 406: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] kasan_set_track+0x21/0x30 [ 66.703974] kasan_set_free_info+0x20/0x30 [ 66.703974] __kasan_slab_free+0x108/0x170 [ 66.703974] kfree+0xb0/0x330 [ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0 [ 66.703974] nci_uart_tty_close+0xdf/0x180 [ 66.703974] tty_ldisc_kill+0x73/0x110 [ 66.703974] tty_ldisc_hangup+0x281/0x5b0 [ 66.703974] __tty_hangup.part.0+0x431/0x890 [ 66.703974] tty_release+0x3a8/0xc80 [ 66.703974] __fput+0x1f0/0x8c0 [ 66.703974] task_work_run+0xc9/0x170 [ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0 [ 66.703974] syscall_exit_to_user_mode+0x19/0x50 [ 66.703974] do_syscall_64+0x48/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0x ---truncated---
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF race in kernel NFC NCI enables local privilege escalation via arbitrary code execution or targeted kernel crash/DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of known flaws by applying Linux kernel patches that add flush_workqueue to drain workqueues before NCI device cleanup, directly preventing the UAF race condition.
Vulnerability scanning periodically identifies kernel versions affected by CVE-2022-49059, enabling proactive patching to mitigate the NFC NCI UAF vulnerability.
Establishes secure kernel configuration settings that can disable unnecessary NFC drivers or enforce hardening parameters to reduce exposure to the device detachment race condition.