CVE-2022-49391
Published: 26 February 2025
Summary
CVE-2022-49391 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2022-49391 is a double free vulnerability (CWE-415) in the Linux kernel's remoteproc subsystem, specifically the mtk_scp driver. The issue arises because the 'scp->rproc' structure is allocated using devm_rproc_alloc(), a managed allocation that is automatically freed by the device model. However, the driver's remove function explicitly frees it, potentially leading to a double free if the managed cleanup also occurs.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the affected system. Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an unchanged security scope (S:U), as rated by the CVSS v3.1 base score of 7.8. This might allow the attacker to cause denial of service, memory corruption, or potentially elevate privileges through crafted operations on the mtk_scp remote processor interface.
Mitigation involves applying the upstream patches from the Linux kernel stable repository. The fixing commits, adc02700236613b344a947a897fc2741d52a43b9 and eac3e5b1c12f85732e60f5f8b985444d273866bb, remove the explicit free of 'scp->rproc' in the remove function, preventing the double free. Systems running affected kernel versions should update to a patched release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54838
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: remoteproc: mtk_scp: Fix a potential double free 'scp->rproc' is allocated using devm_rproc_alloc(), so there is no need to free it explicitly in the remove function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free in kernel driver enables local memory corruption leading directly to privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely remediation through application of kernel patches that eliminate the explicit free of the managed 'scp->rproc' allocation.
Prevents exposure to the mtk_scp driver vulnerability by restricting system functionality to only essential components, such as disabling unused remoteproc drivers.
Mitigates exploitation of the double free via kernel memory protections like slab freelist randomization and safe unlinking that harden against memory corruption attacks.