CVE-2022-49524
Published: 26 February 2025
Summary
CVE-2022-49524 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49524 is a use-after-free vulnerability (CWE-416) in the Linux kernel's cx23885 PCI driver, which handles media devices such as video capture cards. The issue arises in the cx23885_initdev() function due to flawed error handling: when dma_set_mask() fails, the driver has already initialized i2c-related resources in cx23885_dev_setup() but does not release them before jumping to the error path. This leads to a use-after-free detected by KASAN, manifesting as a splat in __process_removed_driver() during i2c driver removal, with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability by triggering the faulty initialization path in the cx23885 driver. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), potentially allowing arbitrary code execution, privilege escalation, or system crashes via the use-after-free condition during driver error handling or removal.
The provided references point to stable kernel patch commits that address the issue by modifying the error path in cx23885_initdev() to properly release i2c resources after a dma_set_mask() failure. Security practitioners should apply these upstream fixes to affected Linux kernel versions supporting the cx23885 driver to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54706
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: media: pci: cx23885: Fix the error handling in cx23885_initdev() When the driver fails to call the dma_set_mask(), the driver will get the following splat: [ 55.853884] BUG: KASAN: use-after-free in…
more
__process_removed_driver+0x3c/0x240 [ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590 [ 55.856822] Call Trace: [ 55.860327] __process_removed_driver+0x3c/0x240 [ 55.861347] bus_for_each_dev+0x102/0x160 [ 55.861681] i2c_del_driver+0x2f/0x50 This is because the driver has initialized the i2c related resources in cx23885_dev_setup() but not released them in error handling, fix this bug by modifying the error path that jumps after failing to call the dma_set_mask().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel driver directly enables exploitation for privilege escalation (arbitrary code execution in kernel context).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free flaw by requiring timely application of the kernel patch that fixes the error path in cx23885_initdev() to release i2c resources on dma_set_mask() failure.
Mandates secure error handling that identifies and appropriately cleans up i2c resources upon dma_set_mask() failure, preventing the use-after-free during driver removal.
Provides runtime memory protections such as kernel address space randomization that mitigate exploitation of the use-after-free in the cx23885 driver.