Cyber Resilience

CVE-2022-49359

High

Published: 26 February 2025

Published
26 February 2025
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49359 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49359 is a use-after-free vulnerability in the Linux kernel's drm/panfrost driver. The issue arises because the job structure references panfrost_priv to access the MMU context, even though the MMU context can outlive the panfrost_priv structure after it has been freed. This leads to a use-after-free condition when attempting to access the freed panfrost_priv, which has been observed to trigger kernel splats.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability. Successful exploitation results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. The attacker requires local access but no user interaction, enabling potential arbitrary code execution, privilege escalation, or system crashes within the kernel context.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits: 472dd7ea5e19a1aeabf1711ddc756777e05ee7c2, 6e516faf04317db2c46cbec4e3b78b4653a5b109, and 8c8e8cc91a6ffc79865108279a74fd57d9070a17. These patches eliminate the reference to panfrost_priv in the job structure and introduce a direct reference to the MMU structure instead.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Job should reference MMU not file_priv For a while now it's been allowed for a MMU context to outlive it's corresponding panfrost_priv, however the job structure still references panfrost_priv…

more

to get hold of the MMU context. If panfrost_priv has been freed this is a use-after-free which I've been able to trigger resulting in a splat. To fix this, drop the reference to panfrost_priv in the job structure and add a direct reference to the MMU structure which is what's actually needed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in panfrost driver directly enables exploitation for privilege escalation to root via arbitrary code execution in kernel context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · 5.10.67 — 5.11 · 5.13.19 — 5.14 · 5.14.6 — 5.17.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of flaws, directly addressing the use-after-free in the panfrost driver by applying the specified kernel patches.

prevent

SI-16 implements memory protections such as address randomization and guard pages that mitigate exploitation of the use-after-free vulnerability in kernel memory accesses.

detect

RA-5 enables vulnerability scanning to identify systems running vulnerable kernel versions affected by CVE-2022-49359 in the panfrost driver.

References