Cyber Resilience

CVE-2022-49489

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49489 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49489 is a use-after-free vulnerability (CWE-416) in the Linux kernel's drm/msm/disp/dpu1 subsystem. The issue arises during power management runtime resume operations, where the VBIF hardware configuration is not set to NULL after memory is freed, leading to an invalid kernel paging request at a corrupted virtual address. This triggers a crash traceable through functions like dpu_vbif_init_memtypes, dpu_runtime_resume, and msm_drm_uninit. The vulnerability affects Linux kernels incorporating the MSM DRM driver, commonly used in Qualcomm-based systems.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) in an unchanged security scope (S:U). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. This could enable kernel memory corruption, potentially leading to privilege escalation, arbitrary code execution, or system denial of service via the runtime resume path.

Mitigation involves applying upstream kernel patches, such as those referenced in the stable kernel commits (e.g., 134760263f6441741db0b2970e7face6b34b6d1c, 5b0adf5cbf3b74721e4e4c4e0cadc91b8df8bcc2) and the Freedesktop Patchwork submission (https://patchwork.freedesktop.org/patch/483255/). These fixes explicitly set the VBIF hardware configuration to NULL to prevent use-after-free during resume. Security practitioners should update affected Linux kernels to incorporate these changes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: drm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume BUG: Unable to handle kernel paging request at virtual address 006b6b6b6b6b6be3 Call trace:…

more

dpu_vbif_init_memtypes+0x40/0xb8 dpu_runtime_resume+0xcc/0x1c0 pm_generic_runtime_resume+0x30/0x44 __genpd_runtime_resume+0x68/0x7c genpd_runtime_resume+0x134/0x258 __rpm_callback+0x98/0x138 rpm_callback+0x30/0x88 rpm_resume+0x36c/0x49c __pm_runtime_resume+0x80/0xb0 dpu_core_irq_uninstall+0x30/0xb0 dpu_irq_uninstall+0x18/0x24 msm_drm_uninit+0xd8/0x16c Patchwork: https://patchwork.freedesktop.org/patch/483255/ [DB: fixed Fixes tag]

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Use-after-free in kernel DRM driver directly enables local exploitation for privilege escalation via memory corruption and arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.19 — 4.19.247 · 4.20 — 5.4.198 · 5.5 — 5.10.121

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and timely patching of the kernel use-after-free flaw in drm/msm/dpu1 during runtime resume, directly preventing exploitation as per the upstream fixes.

prevent

Implements memory protection safeguards like ASLR, SMEP/SMAP, and other kernel mitigations that hinder exploitation of the use-after-free for arbitrary code execution or corruption.

detect

Provides vulnerability scanning and monitoring to identify the presence of CVE-2022-49489 in Linux kernels with MSM DRM drivers.

References