CVE-2022-49063
Published: 26 February 2025
Summary
CVE-2022-49063 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of patches for known kernel flaws like the use-after-free in the ice driver's ARFS directly eliminates the vulnerability during device reset operations.
Implementation of memory protection mechanisms such as ASLR and data execution prevention mitigates exploitation of the use-after-free by preventing unauthorized memory access or code execution.
Vulnerability scanning and monitoring detect the presence of kernel CVEs like CVE-2022-49063 in deployed systems, enabling remediation before exploitation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ice: arfs: fix use-after-free when freeing @rx_cpu_rmap The CI testing bots triggered the following splat: [ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80 [ 718.206349] Read of size 4 at addr…
more
ffff8881bd127e00 by task sh/20834 [ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1 [ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020 [ 718.223418] Call Trace: [ 718.227139] [ 718.230783] dump_stack_lvl+0x33/0x42 [ 718.234431] print_address_description.constprop.9+0x21/0x170 [ 718.238177] ? free_irq_cpu_rmap+0x53/0x80 [ 718.241885] ? free_irq_cpu_rmap+0x53/0x80 [ 718.245539] kasan_report.cold.18+0x7f/0x11b [ 718.249197] ? free_irq_cpu_rmap+0x53/0x80 [ 718.252852] free_irq_cpu_rmap+0x53/0x80 [ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice] [ 718.260174] ice_remove_arfs+0x5f/0x70 [ice] [ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice] [ 718.267419] ice_rebuild+0x39c/0xb60 [ice] [ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice] [ 718.278033] ? delay_tsc+0x4a/0xb0 [ 718.281513] ? preempt_count_sub+0x14/0xc0 [ 718.284984] ? delay_tsc+0x8f/0xb0 [ 718.288463] ice_do_reset+0x92/0xf0 [ice] [ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice] [ 718.295561] pci_reset_function+0x53/0x80 <...> [ 718.393035] Allocated by task 690: [ 718.433497] Freed by task 20834: [ 718.495688] Last potentially related work creation: [ 718.568966] The buggy address belongs to the object at ffff8881bd127e00 which belongs to the cache kmalloc-96 of size 96 [ 718.574085] The buggy address is located 0 bytes inside of 96-byte region [ffff8881bd127e00, ffff8881bd127e60) [ 718.579265] The buggy address belongs to the page: [ 718.598905] Memory state around the buggy address: [ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.610811] ^ [ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc This is due to that free_irq_cpu_rmap() is always being called *after* (devm_)free_irq() and thus it tries to work with IRQ descs already freed. For example, on device reset the driver frees the rmap right before allocating a new one (the splat above). Make rmap creation and freeing function symmetrical with {request,free}_irq() calls i.e. do that on ifup/ifdown instead of device probe/remove/resume. These operations can be performed independently from the actual device aRFS configuration. Also, make sure ice_vsi_free_irq() clears IRQ affinity notifiers only when aRFS is disabled -- otherwise, CPU rmap sets and clears its own and they must not be touched manually.
Deeper analysisAI
CVE-2022-49063 is a use-after-free vulnerability in the Linux kernel's ice driver, specifically in the Accelerated Receive Flow Steering (ARFS) implementation. The issue occurs when freeing the rx_cpu_rmap structure in free_irq_cpu_rmap, as this function is called after (devm_)free_irq, leading to access of already-freed IRQ descriptors. It was detected by KASAN during CI testing on kernel version 5.17.0-rc8, manifesting as a read of size 4 at a freed kmalloc-96 address during device reset scenarios like ice_pci_err_resume.
A local attacker with low privileges can exploit this vulnerability due to its CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, achieving high impacts on confidentiality, integrity, and availability. Exploitation is feasible during driver operations such as device reset or rebuild, where the rmap is freed before a new one is allocated, potentially allowing memory corruption, kernel crashes, or arbitrary code execution through the dangling pointer.
Kernel patches address the issue by symmetrizing rmap creation and freeing with request_irq/free_irq calls, shifting these operations to ifup/ifdown events independent of probe/remove/resume. Additionally, ice_vsi_free_irq clears IRQ affinity notifiers only when ARFS is disabled to avoid conflicts with CPU rmap management. Fixes are available in stable kernel commits such as 618df75f2e30c7838a3e010ca32cd4893ec9fe33, ba2f6ec28733fb6b24ed086e676df3df4c138f3f, d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3, and d7442f512b71fc63a99c8a801422dde4fbbf9f93, with Debian LTS announcements confirming backports.
Details
- CWE(s)