CVE-2022-49685
Published: 26 February 2025
Summary
CVE-2022-49685 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2022-49685 is a use-after-free vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically in the sysfs trigger interface. The issue arises during trigger removal via sysfs attributes, where the trigger is freed before the associated irq_work completes, leading to a read-after-free detected by KASAN in functions like irq_work_run_list. This affects kernels with IIO sysfs trigger support, as evidenced by allocation in iio_sysfs_trig_add and freeing in iio_sysfs_trig_remove during sysfs writes.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By writing to the relevant sysfs attributes—such as through a process like Python scripting sysfs files—the attacker can trigger the add/remove sequence, causing the use-after-free when irq_work_tick processes the pending work post-free. Successful exploitation yields high confidentiality, integrity, and availability impacts (CVSS 7.8), potentially allowing arbitrary code execution, data corruption, or kernel crashes.
Mitigation involves applying upstream kernel patches from the provided stable branch commits, such as 31ff3309b47d98313c61b8301bf595820cc3cc33 and others, which ensure irq_work completion before freeing the trigger. Security practitioners should update affected Linux distributions or kernels to versions incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54548
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: iio: trigger: sysfs: fix use-after-free on remove Ensure that the irq_work has completed before the trigger is freed. ================================================================== BUG: KASAN: use-after-free in irq_work_run_list Read of size 8 at addr…
more
0000000064702248 by task python3/25 Call Trace: irq_work_run_list irq_work_tick update_process_times tick_sched_handle tick_sched_timer __hrtimer_run_queues hrtimer_interrupt Allocated by task 25: kmem_cache_alloc_trace iio_sysfs_trig_add dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write Freed by task 25: kfree iio_sysfs_trig_remove dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write ==================================================================
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in sysfs/IIO allows direct privilege escalation to arbitrary code execution via low-priv writes.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, and correction of system flaws, directly addressing this kernel use-after-free by requiring application of upstream patches before exploitation.
RA-5 requires vulnerability monitoring and scanning to identify systems vulnerable to CVE-2022-49685 in the IIO sysfs trigger interface.
CM-6 enforces baseline configuration settings for the Linux kernel, ensuring patched versions that resolve the sysfs trigger use-after-free are maintained.