Cyber Resilience

CVE-2022-49685

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49685 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2022-49685 is a use-after-free vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically in the sysfs trigger interface. The issue arises during trigger removal via sysfs attributes, where the trigger is freed before the associated irq_work completes, leading to a read-after-free detected by KASAN in functions like irq_work_run_list. This affects kernels with IIO sysfs trigger support, as evidenced by allocation in iio_sysfs_trig_add and freeing in iio_sysfs_trig_remove during sysfs writes.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By writing to the relevant sysfs attributes—such as through a process like Python scripting sysfs files—the attacker can trigger the add/remove sequence, causing the use-after-free when irq_work_tick processes the pending work post-free. Successful exploitation yields high confidentiality, integrity, and availability impacts (CVSS 7.8), potentially allowing arbitrary code execution, data corruption, or kernel crashes.

Mitigation involves applying upstream kernel patches from the provided stable branch commits, such as 31ff3309b47d98313c61b8301bf595820cc3cc33 and others, which ensure irq_work completion before freeing the trigger. Security practitioners should update affected Linux distributions or kernels to versions incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: iio: trigger: sysfs: fix use-after-free on remove Ensure that the irq_work has completed before the trigger is freed. ================================================================== BUG: KASAN: use-after-free in irq_work_run_list Read of size 8 at addr…

more

0000000064702248 by task python3/25 Call Trace: irq_work_run_list irq_work_tick update_process_times tick_sched_handle tick_sched_timer __hrtimer_run_queues hrtimer_interrupt Allocated by task 25: kmem_cache_alloc_trace iio_sysfs_trig_add dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write Freed by task 25: kfree iio_sysfs_trig_remove dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write ==================================================================

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in sysfs/IIO allows direct privilege escalation to arbitrary code execution via low-priv writes.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · 3.7 — 4.9.321 · 4.10 — 4.14.286 · 4.15 — 4.19.250

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and correction of system flaws, directly addressing this kernel use-after-free by requiring application of upstream patches before exploitation.

detect

RA-5 requires vulnerability monitoring and scanning to identify systems vulnerable to CVE-2022-49685 in the IIO sysfs trigger interface.

prevent

CM-6 enforces baseline configuration settings for the Linux kernel, ensuring patched versions that resolve the sysfs trigger use-after-free are maintained.

References