CVE-2022-49082
Published: 26 February 2025
Summary
CVE-2022-49082 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2022-49082 is a use-after-free vulnerability in the Linux kernel's mpt3sas SCSI driver, specifically within the _scsih_expander_node_remove() function. The issue arises when mpt3sas_transport_port_remove() frees the port field of the sas_expander structure, but a subsequent ioc_info() call attempts to access it, triggering a KASAN-detected use-after-free during operations like driver module removal (rmmod). This affects Linux kernels incorporating the vulnerable mpt3sas driver code, with the flaw documented under CWE-416 and assigned a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the affected code path, such as during removal of the mpt3sas driver module. Successful exploitation of the use-after-free could allow arbitrary read/write access to kernel memory, potentially leading to privilege escalation, denial of service via system crash, or execution of arbitrary code in kernel context, as indicated by the high impact ratings across confidentiality, integrity, and availability.
Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes: notably, commits 17d66b1c92bcb41e72271ec60069d3684aaa1c9c, 1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c, 25c1353dca74ad7cf3fd7ce258fe7c957a147d5e, and 87d663d40801dffc99a5ad3b0188ad3e2b4d1557. These patches introduce a local port_id variable to store the port ID before freeing the structure, preventing the invalid dereference in ioc_info(). Security practitioners should ensure systems with mpt3sas hardware (e.g., LSI/Avago controllers) update to patched kernels.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55122
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove() The function mpt3sas_transport_port_remove() called in _scsih_expander_node_remove() frees the port field of the sas_expander structure, leading to the following use-after-free splat from KASAN…
more
when the ioc_info() call following that function is executed (e.g. when doing rmmod of the driver module): [ 3479.371167] ================================================================== [ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] <TASK> [ 3479.413875] dump_stack_lvl+0x45/0x59 [ 3479.417582] print_address_description.constprop.0+0x1f/0x120 [ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.429469] kasan_report.cold+0x83/0xdf [ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40 [ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? down_write+0xde/0x150 [ 3479.470746] ? up_write+0x14d/0x460 [ 3479.475840] ? kernfs_find_ns+0x137/0x310 [ 3479.481438] pci_device_remove+0x65/0x110 [ 3479.487013] __device_release_driver+0x316/0x680 [ 3479.493180] driver_detach+0x1ec/0x2d0 [ 3479.498499] bus_remove_driver+0xe7/0x2d0 [ 3479.504081] pci_unregister_driver+0x26/0x250 [ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas] [ 3479.516144] __x64_sys_delete_module+0x2fd/0x510 [ 3479.522315] ? free_module+0xaa0/0xaa0 [ 3479.527593] ? __cond_resched+0x1c/0x90 [ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70 [ 3479.546161] ? trace_hardirqs_on+0x1c/0x110 [ 3479.551828] do_syscall_64+0x35/0x80 [ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ================================================================== Fix this by introducing the local variable port_id to store the port ID value before executing mpt3sas_transport_port_remove(). This local variable is then used in the call to ioc_info() instead of dereferencing the freed port structure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in mpt3sas driver directly enables privilege escalation via arbitrary kernel read/write and code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the use-after-free flaw in the mpt3sas driver's _scsih_expander_node_remove function via upstream kernel patches.
Enables vulnerability scanning to identify Linux kernels affected by CVE-2022-49082 in the mpt3sas SCSI driver, facilitating patching.
Enforces kernel configuration settings that incorporate patched mpt3sas driver code to eliminate the use-after-free during expander node removal.