Cyber Resilience

CVE-2022-49223

High

Published: 26 February 2025

Published
26 February 2025
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49223 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2022-49223 is a use-after-free vulnerability in the Linux kernel's CXL (Compute Express Link) subsystem, specifically within the cxl/port component. The issue occurs in the cxl_decoder_release() function, where it references its parent cxl_port to free its ID back to the port's decoder_ida after the parent has potentially been freed. This was detected by KASAN and DEBUG_KOBJECT_RELEASE, with a reported bug involving a read of size 8 at an invalid address during kobject_delayed_cleanup in kernel version 5.17.0-rc2. The vulnerability is classified under CWE-416 and carries a CVSS v3.1 base score of 7.8.

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, privilege escalation, or system crashes within the kernel context.

Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes: 49f2dab77a5e1354f5da6ccdc9346a8212697be2, 518bb96367123062b48b0a9842f2864249b565f6, 74be98774dfbc5b8b795db726bd772e735d2edd4, and b0022ca445d5fc4d0c89d15dcd0f855977b22c1d. These patches ensure the port reference is held until decoder release, extending the parent's lifetime as required by the device core for child release callbacks.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: cxl/port: Hold port reference until decoder release KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in cxl_decoder_release() where it goes to reference its parent, a cxl_port, to free its id back…

more

to port->decoder_ida. BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core] Read of size 8 at addr ffff888119270908 by task kworker/35:2/379 CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events kobject_delayed_cleanup Call Trace: <TASK> dump_stack_lvl+0x59/0x73 print_address_description.constprop.0+0x1f/0x150 ? to_cxl_port+0x18/0x90 [cxl_core] kasan_report.cold+0x83/0xdf ? to_cxl_port+0x18/0x90 [cxl_core] to_cxl_port+0x18/0x90 [cxl_core] cxl_decoder_release+0x2a/0x60 [cxl_core] device_release+0x5f/0x100 kobject_cleanup+0x80/0x1c0 The device core only guarantees parent lifetime until all children are unregistered. If a child needs a parent to complete its ->release() callback that child needs to hold a reference to extend the lifetime of the parent.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel UAF in CXL subsystem directly enables local privilege escalation via arbitrary code execution in kernel context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.14 — 5.15.54 · 5.16 — 5.16.19 · 5.17 — 5.17.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring identification, reporting, prioritization, and timely patching of the specific flaw in the Linux kernel CXL port decoder release function.

prevent

Implements kernel memory protections such as address space layout randomization, supervisor mode execution prevention, and stack protection to hinder exploitation of the use-after-free even if unpatched.

prevent

Enforces secure baseline configuration settings for the kernel, including enabling hardening features and disabling unnecessary CXL components to reduce exposure to the vulnerability.

References