CVE-2022-49645
Published: 26 February 2025
Summary
CVE-2022-49645 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2022-49645 is a vulnerability in the Linux kernel's drm/panfrost driver, which handles graphics processing for Arm Mali GPUs. The issue arises when the madvise IOCTL is called twice on the same buffer object (BO), leading to corruption of the memory shrinker list. Specifically, the BO is added to the list a second time without first being removed, resulting in kernel instability. This flaw is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by invoking the madvise IOCTL twice on a targeted BO. This triggers the list corruption, potentially causing a kernel crash and enabling high-impact effects on confidentiality, integrity, and availability, such as denial of service or further memory corruption that could facilitate privilege escalation.
Mitigation requires applying the relevant upstream patches from the Linux kernel stable branches, as detailed in the following commit references: https://git.kernel.org/stable/c/0581613df7f9a4c5fac096ce1d5fb15b7b994240, https://git.kernel.org/stable/c/1807d8867402a58b831a7fc16832747ff559a0d1, https://git.kernel.org/stable/c/393594aad55179eb761af41533d8d1d6eb4543b0, https://git.kernel.org/stable/c/9fc33eaaa979d112d10fea729edcd2a2e21aa912, and https://git.kernel.org/stable/c/f036392edd9c49090781d8cca26ad6557a63bae4. Systems using the panfrost driver should update to a patched kernel version to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54587
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix shrinker list corruption by madvise IOCTL Calling madvise IOCTL twice on BO causes memory shrinker list corruption and crashes kernel because BO is already on the list and…
more
it's added to the list again, while BO should be removed from the list before it's re-added. Fix it.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory corruption via madvise IOCTL directly enables privilege escalation (T1068) and endpoint DoS through system exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and patching of kernel flaws like CVE-2022-49645 in the panfrost driver to prevent madvise IOCTL-induced list corruption.
Enables vulnerability scanning to detect unpatched instances of CVE-2022-49645 in Linux kernels using the panfrost driver, facilitating proactive remediation.
Supports monitoring for kernel crashes or anomalies resulting from memory shrinker list corruption exploited via repeated madvise IOCTL calls on buffer objects.