CVE-2022-49223
Published: 26 February 2025
Summary
CVE-2022-49223 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2022-49223 is a use-after-free vulnerability in the Linux kernel's CXL (Compute Express Link) subsystem, specifically within the cxl/port component. The issue occurs in the cxl_decoder_release() function, where it references its parent cxl_port to free its ID back to the port's decoder_ida after the parent has potentially been freed. This was detected by KASAN and DEBUG_KOBJECT_RELEASE, with a reported bug involving a read of size 8 at an invalid address during kobject_delayed_cleanup in kernel version 5.17.0-rc2. The vulnerability is classified under CWE-416 and carries a CVSS v3.1 base score of 7.8.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, privilege escalation, or system crashes within the kernel context.
Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes: 49f2dab77a5e1354f5da6ccdc9346a8212697be2, 518bb96367123062b48b0a9842f2864249b565f6, 74be98774dfbc5b8b795db726bd772e735d2edd4, and b0022ca445d5fc4d0c89d15dcd0f855977b22c1d. These patches ensure the port reference is held until decoder release, extending the parent's lifetime as required by the device core for child release callbacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55003
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: cxl/port: Hold port reference until decoder release KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in cxl_decoder_release() where it goes to reference its parent, a cxl_port, to free its id back…
more
to port->decoder_ida. BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core] Read of size 8 at addr ffff888119270908 by task kworker/35:2/379 CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events kobject_delayed_cleanup Call Trace: <TASK> dump_stack_lvl+0x59/0x73 print_address_description.constprop.0+0x1f/0x150 ? to_cxl_port+0x18/0x90 [cxl_core] kasan_report.cold+0x83/0xdf ? to_cxl_port+0x18/0x90 [cxl_core] to_cxl_port+0x18/0x90 [cxl_core] cxl_decoder_release+0x2a/0x60 [cxl_core] device_release+0x5f/0x100 kobject_cleanup+0x80/0x1c0 The device core only guarantees parent lifetime until all children are unregistered. If a child needs a parent to complete its ->release() callback that child needs to hold a reference to extend the lifetime of the parent.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel UAF in CXL subsystem directly enables local privilege escalation via arbitrary code execution in kernel context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the use-after-free vulnerability by requiring identification, reporting, prioritization, and timely patching of the specific flaw in the Linux kernel CXL port decoder release function.
Implements kernel memory protections such as address space layout randomization, supervisor mode execution prevention, and stack protection to hinder exploitation of the use-after-free even if unpatched.
Enforces secure baseline configuration settings for the kernel, including enabling hardening features and disabling unnecessary CXL components to reduce exposure to the vulnerability.