CVE-2022-49724
Published: 26 February 2025
Summary
CVE-2022-49724 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49724 is a use-after-free vulnerability (CWE-416) in the Linux kernel's goldfish tty driver. The issue arises during driver unbinding, where the goldfish_tty_remove function calls free_irq() with an incorrect dev_id, triggering a kernel warning about attempting to free an already-free IRQ 65. This splat is observed in the kernel/irq/manage.c code at line 1895, as seen in the call trace involving warn_slowpath_fmt, platform_remove, and device management functions.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability, potentially achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as indicated by its CVSS v3.1 base score of 7.8.
Mitigation is provided through kernel patches applied to stable branches, including commits such as 499e13aac6c762e1e828172b0f0f5275651d6512, 65ca4db68b6819244df9024aea4be55edf8af1ef, a6fcd7ffd76a9c1d998a2d02d518c78a55c5bed8, c4b0b8edccb0cfb15a8cecf4161e0571d3daac64, and c83a1d40dc624070a203eb383ef9fb60eb634136 available at git.kernel.org/stable. Security practitioners should ensure systems use kernel versions incorporating these fixes to prevent the faulty IRQ handling during driver removal.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54511
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: tty: goldfish: Fix free_irq() on remove Pass the correct dev_id to free_irq() to fix this splat when the driver is unbound: WARNING: CPU: 0 PID: 30 at kernel/irq/manage.c:1895 free_irq Trying…
more
to free already-free IRQ 65 Call Trace: warn_slowpath_fmt free_irq goldfish_tty_remove platform_remove device_remove device_release_driver_internal device_driver_detach unbind_store drv_attr_store ...
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in goldfish tty driver enables privilege escalation from low-privileged local access to full system compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires organizations to identify, report, and correct the use-after-free flaw in the goldfish tty driver via application of specific kernel patches.
Restricts the kernel to least functionality by disabling or prohibiting non-essential drivers like goldfish_tty, preventing loading of vulnerable code.
Enables detection of CVE-2022-49724 through vulnerability scanning of kernel versions and components.