Cyber Resilience

CVE-2022-49724

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49724 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49724 is a use-after-free vulnerability (CWE-416) in the Linux kernel's goldfish tty driver. The issue arises during driver unbinding, where the goldfish_tty_remove function calls free_irq() with an incorrect dev_id, triggering a kernel warning about attempting to free an already-free IRQ 65. This splat is observed in the kernel/irq/manage.c code at line 1895, as seen in the call trace involving warn_slowpath_fmt, platform_remove, and device management functions.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability, potentially achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as indicated by its CVSS v3.1 base score of 7.8.

Mitigation is provided through kernel patches applied to stable branches, including commits such as 499e13aac6c762e1e828172b0f0f5275651d6512, 65ca4db68b6819244df9024aea4be55edf8af1ef, a6fcd7ffd76a9c1d998a2d02d518c78a55c5bed8, c4b0b8edccb0cfb15a8cecf4161e0571d3daac64, and c83a1d40dc624070a203eb383ef9fb60eb634136 available at git.kernel.org/stable. Security practitioners should ensure systems use kernel versions incorporating these fixes to prevent the faulty IRQ handling during driver removal.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: tty: goldfish: Fix free_irq() on remove Pass the correct dev_id to free_irq() to fix this splat when the driver is unbound: WARNING: CPU: 0 PID: 30 at kernel/irq/manage.c:1895 free_irq Trying…

more

to free already-free IRQ 65 Call Trace: warn_slowpath_fmt free_irq goldfish_tty_remove platform_remove device_remove device_release_driver_internal device_driver_detach unbind_store drv_attr_store ...

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in goldfish tty driver enables privilege escalation from low-privileged local access to full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · 4.6 — 4.14.285 · 4.15 — 4.19.249 · 4.20 — 5.4.200

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires organizations to identify, report, and correct the use-after-free flaw in the goldfish tty driver via application of specific kernel patches.

prevent

Restricts the kernel to least functionality by disabling or prohibiting non-essential drivers like goldfish_tty, preventing loading of vulnerable code.

detect

Enables detection of CVE-2022-49724 through vulnerability scanning of kernel versions and components.

References