Cyber Resilience

CVE-2022-49755

High

Published: 27 March 2025

Published
27 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49755 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49755 is a use-after-free vulnerability in the Linux kernel's USB gadget subsystem, specifically within the f_fs (functionfs) component. The issue arises during fast composition switch operations, where ffs_ep0_write or ffs_ep0_read can race with functionfs_unbind. In this race, functionfs_unbind frees the ep0req structure and sets it to NULL, but ffs_ep0_queue_wait lacks a NULL check after acquiring the &ffs->ev.waitq.lock, leading to a use-after-free (CWE-416). The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the race condition during USB gadget composition switches. Successful exploitation could allow the attacker to achieve high confidentiality, integrity, and availability impacts, potentially including arbitrary code execution or system crashes due to the use-after-free.

Mitigation involves applying the relevant Linux kernel stable patches, as detailed in the commit references. These patches serialize execution between ffs_ep0_queue_wait and functionfs_unbind by introducing a mutex_lock(ffs->mutex), preventing the race. Affected kernel versions are those prior to the application of commits such as 6a19da111057, 6aee197b7fbcd615, 6dd9ea05534f, a8d40942df074, and ae8e136bcaae.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait While performing fast composition switch, there is a possibility that the process of ffs_ep0_write/ffs_ep0_read get into a race condition due to ep0req being…

more

freed up from functionfs_unbind. Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

This local kernel use-after-free vulnerability enables arbitrary code execution from a low-privileged user context during USB gadget operations, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.2 · 2.6.35 — 4.14.305 · 4.15 — 4.19.272 · 4.20 — 5.4.231

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the use-after-free flaw in the Linux kernel's f_fs USB gadget component via application of stable patches that serialize access with a mutex.

prevent

Implements memory protection mechanisms such as non-executable memory and address randomization to mitigate exploitation of the use-after-free vulnerability by preventing unauthorized code execution.

detect

Requires vulnerability scanning to identify the presence of CVE-2022-49755 in kernel versions, enabling prompt initiation of flaw remediation.

References