CVE-2022-49535
Published: 26 February 2025
Summary
CVE-2022-49535 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2022-49535 is a use-after-free vulnerability in the Linux kernel's lpfc SCSI driver, leading to a null pointer dereference. The issue arises when lpfc_issue_els_flogi() fails and returns a non-zero status, causing the node reference count to decrement and potentially release the nodelist structure prematurely if prior registration or dev-loss-evt work is pending. A similar problem occurs in lpfc_cmpl_els_plogi() during non-zero ELS PLOGI completion, where ndlp flags are checked before node removal, allowing dev-loss-evt to reference a freed node. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering FLOGI or PLOGI failures in the lpfc driver while dev-loss-evt work is pending, leading to a use-after-free condition. Successful exploitation could result in high confidentiality, integrity, and availability impacts, such as kernel crashes, denial of service, or potential arbitrary code execution within the kernel context.
Mitigation is provided through kernel patches referenced in stable commit 10663ebec0ad5c78493a0dd34c9ee4d73d7ca0df, which adds checks for pending dev-loss events before decrementing the node reference count in FLOGI, PLOGI, PRLI, and ADISC handling. Additional fixes appear in commits 577a942df3de2666f6947bdd3a5c9e8d30073424 and c7dc74ab7975c9b96284abfe4cca756d75fa4604, addressing the premature release and subsequent dereferences in the lpfc driver. Security practitioners should apply these upstream kernel updates to affected systems using the lpfc driver.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54696
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI If lpfc_issue_els_flogi() fails and returns non-zero status, the node reference count is decremented to trigger the release…
more
of the nodelist structure. However, if there is a prior registration or dev-loss-evt work pending, the node may be released prematurely. When dev-loss-evt completes, the released node is referenced causing a use-after-free null pointer dereference. Similarly, when processing non-zero ELS PLOGI completion status in lpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport registration before triggering node removal. If dev-loss-evt work is pending, the node may be released prematurely and a subsequent call to lpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference. Add test for pending dev-loss before decrementing the node reference count for FLOGI, PLOGI, PRLI, and ADISC handling.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in lpfc driver directly enables privilege escalation via arbitrary code execution (T1068) and endpoint DoS via system/kernel exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and correction of system flaws, directly addressing this use-after-free vulnerability through application of Linux kernel patches to the lpfc driver.
Implements memory protection mechanisms that mitigate use-after-free exploits in the lpfc driver by restricting unauthorized memory access and pointer manipulation.
Requires vulnerability scanning to identify CVE-2022-49535 in Linux kernels using the lpfc SCSI driver, enabling detection and prioritization for remediation.