CVE-2022-49755
Published: 27 March 2025
Summary
CVE-2022-49755 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2022-49755 is a use-after-free vulnerability in the Linux kernel's USB gadget subsystem, specifically within the f_fs (functionfs) component. The issue arises during fast composition switch operations, where ffs_ep0_write or ffs_ep0_read can race with functionfs_unbind. In this race, functionfs_unbind frees the ep0req structure and sets it to NULL, but ffs_ep0_queue_wait lacks a NULL check after acquiring the &ffs->ev.waitq.lock, leading to a use-after-free (CWE-416). The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the race condition during USB gadget composition switches. Successful exploitation could allow the attacker to achieve high confidentiality, integrity, and availability impacts, potentially including arbitrary code execution or system crashes due to the use-after-free.
Mitigation involves applying the relevant Linux kernel stable patches, as detailed in the commit references. These patches serialize execution between ffs_ep0_queue_wait and functionfs_unbind by introducing a mutex_lock(ffs->mutex), preventing the race. Affected kernel versions are those prior to the application of commits such as 6a19da111057, 6aee197b7fbcd615, 6dd9ea05534f, a8d40942df074, and ae8e136bcaae.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55168
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait While performing fast composition switch, there is a possibility that the process of ffs_ep0_write/ffs_ep0_read get into a race condition due to ep0req being…
more
freed up from functionfs_unbind. Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
This local kernel use-after-free vulnerability enables arbitrary code execution from a low-privileged user context during USB gadget operations, directly mapping to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the use-after-free flaw in the Linux kernel's f_fs USB gadget component via application of stable patches that serialize access with a mutex.
Implements memory protection mechanisms such as non-executable memory and address randomization to mitigate exploitation of the use-after-free vulnerability by preventing unauthorized code execution.
Requires vulnerability scanning to identify the presence of CVE-2022-49755 in kernel versions, enabling prompt initiation of flaw remediation.