Cyber Resilience

CVE-2022-49419

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49419 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2022-49419 is a use-after-free vulnerability in the Linux kernel's vesafb framebuffer device driver within the fbdev subsystem. The issue arises from early cleanup of the fb_info structure when the .fb_destroy callback executes before the .remove callback, for example, if no process has the fbdev chardev open at the time the driver is removed. This causes vesafb_remove() to access the already-freed fb_info pointer after unregister_framebuffer() is called. A prior commit, b3c9a924aab6, addressed a related use-after-free but overlooked this scenario.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. A local attacker with low privileges can exploit it without user interaction, potentially achieving high impacts on confidentiality, integrity, and availability through arbitrary code execution, data corruption, or denial of service.

Mitigation requires updating to Linux kernel versions incorporating the fix commits from the stable repository, such as 0fac5f8fb1bc2fc4f8714bf5e743c9cc3f547c63, acde4003efc16480375543638484d8f13f2e99a3, d260cad015945d1f4bb9b028a096f648506106a2, and f605f5558ecc175ec70016a3c15f007cb6386531. These patches relocate the access to info->par before the unregister_framebuffer() call to ensure the pointer remains valid.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: video: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup Commit b3c9a924aab6 ("fbdev: vesafb: Cleanup fb_info in .fb_destroy rather than .remove") fixed a use-after-free error due the vesafb driver freeing…

more

the fb_info in the .remove handler instead of doing it in .fb_destroy. This can happen if the .fb_destroy callback is executed after the .remove callback, since the former tries to access a pointer freed by the latter. But that change didn't take into account that another possible scenario is that .fb_destroy is called before the .remove callback. For example, if no process has the fbdev chardev opened by the time the driver is removed. If that's the case, fb_info will be freed when unregister_framebuffer() is called, making the fb_info pointer accessed in vesafb_remove() after that to no longer be valid. To prevent that, move the expression containing the info->par to happen before the unregister_framebuffer() function call.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in vesafb driver directly enables privilege escalation via arbitrary code execution from low-privileged local context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.15.41 — 5.15.46 · 5.17.9 — 5.17.14 · 5.18 — 5.18.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of the use-after-free flaw in the vesafb driver through kernel patching.

prevent

Implements memory protection mechanisms such as address randomization and stack protections that mitigate exploitation of the use-after-free vulnerability.

prevent

Restricts the kernel to least functionality by disabling unnecessary legacy drivers like vesafb, preventing exposure to the vulnerability.

References