Cyber Resilience

CVE-2022-49686

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 24.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49686 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49686 is a vulnerability in the Linux kernel's USB gadget UVC (USB Video Class) driver, specifically within the uvcg_video_pump function. It arises from a list double-add error where a USB request is added back to the req_free list after already being queued to an endpoint, particularly when the endpoint becomes disabled. This triggers a kernel panic due to list debug checks failing, as evidenced by kernel logs showing a BUG at lib/list_debug.c:31 during uvc_function_set_alt execution. The issue is classified under CWE-415 (Double Free) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability by interacting with the USB gadget UVC configuration, such as disabling an endpoint during video pump operations. This leads to the double addition of a request to the req_free list—once by the endpoint completion handler and again by uvcg_video_pump—resulting in a detected list corruption and immediate kernel panic. The attacker achieves denial of service through system crash, with high impacts on confidentiality, integrity, and availability due to the kernel-level disruption.

Mitigation involves applying the upstream kernel patches referenced in the stable commit logs. The fix invalidates the local request handle after queuing to prevent re-addition to the req_free list, as implemented in commits like 96163f835e65 (stable queue) and d95ac8b920de (related stable update). Security practitioners should update affected Linux kernels to versions incorporating these changes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: fix list double add in uvcg_video_pump A panic can occur if the endpoint becomes disabled and the uvcg_video_pump adds the request back to the req_free list after…

more

it has already been queued to the endpoint. The endpoint complete will add the request back to the req_free list. Invalidate the local request handle once it's been queued. <6>[ 246.796704][T13726] configfs-gadget gadget: uvc: uvc_function_set_alt(1, 0) <3>[ 246.797078][ T26] list_add double add: new=ffffff878bee5c40, prev=ffffff878bee5c40, next=ffffff878b0f0a90. <6>[ 246.797213][ T26] ------------[ cut here ]------------ <2>[ 246.797224][ T26] kernel BUG at lib/list_debug.c:31! <6>[ 246.807073][ T26] Call trace: <6>[ 246.807180][ T26] uvcg_video_pump+0x364/0x38c <6>[ 246.807366][ T26] process_one_work+0x2a4/0x544 <6>[ 246.807394][ T26] worker_thread+0x350/0x784 <6>[ 246.807442][ T26] kthread+0x2ac/0x320

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel flaw enables deliberate system crash via crafted USB gadget interaction, directly supporting Endpoint DoS through application/system exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23449Same product: Linux Linux Kernel
CVE-2026-31506Same product: Linux Linux Kernel
CVE-2022-49519Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2026-23388Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-31489Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · 5.16 — 5.18.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating CVE-2022-49686 by applying Linux kernel patches that invalidate the request handle after queuing.

detect

RA-5 mandates vulnerability scanning to identify known issues like this Linux kernel USB gadget UVC driver flaw in deployed systems.

prevent

CM-7 enforces least functionality by disabling unnecessary capabilities such as the USB UVC gadget driver, preventing exploitation opportunities.

References