CVE-2022-49489
Published: 26 February 2025
Summary
CVE-2022-49489 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2022-49489 is a use-after-free vulnerability (CWE-416) in the Linux kernel's drm/msm/disp/dpu1 subsystem. The issue arises during power management runtime resume operations, where the VBIF hardware configuration is not set to NULL after memory is freed, leading to an invalid kernel paging request at a corrupted virtual address. This triggers a crash traceable through functions like dpu_vbif_init_memtypes, dpu_runtime_resume, and msm_drm_uninit. The vulnerability affects Linux kernels incorporating the MSM DRM driver, commonly used in Qualcomm-based systems.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) in an unchanged security scope (S:U). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. This could enable kernel memory corruption, potentially leading to privilege escalation, arbitrary code execution, or system denial of service via the runtime resume path.
Mitigation involves applying upstream kernel patches, such as those referenced in the stable kernel commits (e.g., 134760263f6441741db0b2970e7face6b34b6d1c, 5b0adf5cbf3b74721e4e4c4e0cadc91b8df8bcc2) and the Freedesktop Patchwork submission (https://patchwork.freedesktop.org/patch/483255/). These fixes explicitly set the VBIF hardware configuration to NULL to prevent use-after-free during resume. Security practitioners should update affected Linux kernels to incorporate these changes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54740
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: drm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume BUG: Unable to handle kernel paging request at virtual address 006b6b6b6b6b6be3 Call trace:…
more
dpu_vbif_init_memtypes+0x40/0xb8 dpu_runtime_resume+0xcc/0x1c0 pm_generic_runtime_resume+0x30/0x44 __genpd_runtime_resume+0x68/0x7c genpd_runtime_resume+0x134/0x258 __rpm_callback+0x98/0x138 rpm_callback+0x30/0x88 rpm_resume+0x36c/0x49c __pm_runtime_resume+0x80/0xb0 dpu_core_irq_uninstall+0x30/0xb0 dpu_irq_uninstall+0x18/0x24 msm_drm_uninit+0xd8/0x16c Patchwork: https://patchwork.freedesktop.org/patch/483255/ [DB: fixed Fixes tag]
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in kernel DRM driver directly enables local exploitation for privilege escalation via memory corruption and arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification, reporting, and timely patching of the kernel use-after-free flaw in drm/msm/dpu1 during runtime resume, directly preventing exploitation as per the upstream fixes.
Implements memory protection safeguards like ASLR, SMEP/SMAP, and other kernel mitigations that hinder exploitation of the use-after-free for arbitrary code execution or corruption.
Provides vulnerability scanning and monitoring to identify the presence of CVE-2022-49489 in Linux kernels with MSM DRM drivers.