CVE-2022-49385
Published: 26 February 2025
Summary
CVE-2022-49385 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49385 is a Use After Free (UAF) vulnerability in the Linux kernel's driver base subsystem, stemming from improper handling during driver attachment. Specifically, when the driver_attach function fails, the driver_private structure is freed even though it has already been added to the bus, leading to a UAF condition. This issue is tracked under CWE-416 and affects Linux kernel versions prior to the application of the relevant stable patches.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements, as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing the attacker to execute arbitrary code or cause denial of service within the kernel context.
Mitigation involves applying the upstream patches from the provided kernel stable commit references, such as https://git.kernel.org/stable/c/310862e574001a97ad02272bac0fd13f75f42a27 and others, which fix the issue by removing the driver_private from the bus before freeing it upon driver_attach failure. Security practitioners should ensure systems are updated to kernels incorporating these commits.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54844
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: driver: base: fix UAF when driver_attach failed When driver_attach(drv); failed, the driver_private will be freed. But it has been added to the bus, which caused a UAF. To fix it,…
more
we need to delete it from the bus when failed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in driver_attach directly enables arbitrary code execution for privilege escalation from low-privileged user context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the UAF vulnerability by requiring timely installation of kernel patches that properly remove driver_private from the bus before freeing upon driver_attach failure.
Implements memory protection mechanisms like KASLR and supervisor-mode execution prevention that comprehensively mitigate exploitation of use-after-free errors in kernel driver subsystems.
Enforces secure kernel configuration settings, including exploit mitigations and restrictions on driver loading, to reduce the impact of UAF conditions in the driver base.