CVE-2022-49359
Published: 26 February 2025
Summary
CVE-2022-49359 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2022-49359 is a use-after-free vulnerability in the Linux kernel's drm/panfrost driver. The issue arises because the job structure references panfrost_priv to access the MMU context, even though the MMU context can outlive the panfrost_priv structure after it has been freed. This leads to a use-after-free condition when attempting to access the freed panfrost_priv, which has been observed to trigger kernel splats.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability. Successful exploitation results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. The attacker requires local access but no user interaction, enabling potential arbitrary code execution, privilege escalation, or system crashes within the kernel context.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits: 472dd7ea5e19a1aeabf1711ddc756777e05ee7c2, 6e516faf04317db2c46cbec4e3b78b4653a5b109, and 8c8e8cc91a6ffc79865108279a74fd57d9070a17. These patches eliminate the reference to panfrost_priv in the job structure and introduce a direct reference to the MMU structure instead.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54870
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Job should reference MMU not file_priv For a while now it's been allowed for a MMU context to outlive it's corresponding panfrost_priv, however the job structure still references panfrost_priv…
more
to get hold of the MMU context. If panfrost_priv has been freed this is a use-after-free which I've been able to trigger resulting in a splat. To fix this, drop the reference to panfrost_priv in the job structure and add a direct reference to the MMU structure which is what's actually needed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in panfrost driver directly enables exploitation for privilege escalation to root via arbitrary code execution in kernel context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely remediation of flaws, directly addressing the use-after-free in the panfrost driver by applying the specified kernel patches.
SI-16 implements memory protections such as address randomization and guard pages that mitigate exploitation of the use-after-free vulnerability in kernel memory accesses.
RA-5 enables vulnerability scanning to identify systems running vulnerable kernel versions affected by CVE-2022-49359 in the panfrost driver.