Cyber Resilience

CVE-2022-49391

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49391 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2022-49391 is a double free vulnerability (CWE-415) in the Linux kernel's remoteproc subsystem, specifically the mtk_scp driver. The issue arises because the 'scp->rproc' structure is allocated using devm_rproc_alloc(), a managed allocation that is automatically freed by the device model. However, the driver's remove function explicitly frees it, potentially leading to a double free if the managed cleanup also occurs.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the affected system. Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an unchanged security scope (S:U), as rated by the CVSS v3.1 base score of 7.8. This might allow the attacker to cause denial of service, memory corruption, or potentially elevate privileges through crafted operations on the mtk_scp remote processor interface.

Mitigation involves applying the upstream patches from the Linux kernel stable repository. The fixing commits, adc02700236613b344a947a897fc2741d52a43b9 and eac3e5b1c12f85732e60f5f8b985444d273866bb, remove the explicit free of 'scp->rproc' in the remove function, preventing the double free. Systems running affected kernel versions should update to a patched release.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: remoteproc: mtk_scp: Fix a potential double free 'scp->rproc' is allocated using devm_rproc_alloc(), so there is no need to free it explicitly in the remove function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Double-free in kernel driver enables local memory corruption leading directly to privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23387Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-31489Same product: Linux Linux Kernel
CVE-2022-49290Same product: Linux Linux Kernel
CVE-2026-23162Same product: Linux Linux Kernel
CVE-2026-23068Same product: Linux Linux Kernel
CVE-2022-49384Same product: Linux Linux Kernel
CVE-2026-31475Same product: Linux Linux Kernel
CVE-2022-49530Same product: Linux Linux Kernel
CVE-2026-31468Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.18 — 5.18.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation through application of kernel patches that eliminate the explicit free of the managed 'scp->rproc' allocation.

prevent

Prevents exposure to the mtk_scp driver vulnerability by restricting system functionality to only essential components, such as disabling unused remoteproc drivers.

prevent

Mitigates exploitation of the double free via kernel memory protections like slab freelist randomization and safe unlinking that harden against memory corruption attacks.

References