1. Home
  2. Vulnerabilities
  3. CVE-2022-49524
7.8
HIGH CVSS 3.1
CVE-2022-49524
Cirrus Logic cx23885 Linux Kernel Use-After-Free Vulnerability
Description

In the Linux kernel, the following vulnerability has been resolved: media: pci: cx23885: Fix the error handling in cx23885_initdev() When the driver fails to call the dma_set_mask(), the driver will get the following splat: [ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240 [ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590 [ 55.856822] Call Trace: [ 55.860327] __process_removed_driver+0x3c/0x240 [ 55.861347] bus_for_each_dev+0x102/0x160 [ 55.861681] i2c_del_driver+0x2f/0x50 This is because the driver has initialized the i2c related resources in cx23885_dev_setup() but not released them in error handling, fix this bug by modifying the error path that jumps after failing to call the dma_set_mask().

INFO

Published Date :

Feb. 26, 2025, 7:01 a.m.

Last Modified :

March 24, 2025, 7:43 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2022-49524 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH 134c704f-9b21-4f2e-91b3-4a467353bcc0
Solution
Update the Linux kernel to the latest stable version to fix a use-after-free vulnerability.
  • Update the Linux kernel to the latest stable version.
  • Apply the provided patch for the media driver.
  • Recompile and install the updated kernel.
  • Reboot the system after updating the kernel.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2022-49524.

URL Resource
https://git.kernel.org/stable/c/453514a874c78df1e7804e6e3aaa60c8d8deb6a8 Patch
https://git.kernel.org/stable/c/6041d1a0365baa729b6adfb6ed5386d9388018db Patch
https://git.kernel.org/stable/c/7b9978e1c94e569d65a0e7e719abb9340f5db4a0 Patch
https://git.kernel.org/stable/c/86bd6a579c6c60547706cabf299cd2c9feab3332 Patch
https://git.kernel.org/stable/c/98106f100f50c487469903b9cf6d966785fc9cc3 Patch
https://git.kernel.org/stable/c/ca17e7a532d1a55466cc007b3f4d319541a27493 Patch
https://git.kernel.org/stable/c/e8123311cf06d7dae71e8c5fe78e0510d20cd30b Patch
https://git.kernel.org/stable/c/fa636e9ee4442215cd9a2e079cd5a8e1fe0cb8ba Patch
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2022-49524 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2022-49524 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2022-49524 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2022-49524 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Mar. 24, 2025

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.198 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.121 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.46 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 5.17.14 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.18 up to (excluding) 5.18.3 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.247 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 4.14.283
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/453514a874c78df1e7804e6e3aaa60c8d8deb6a8 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/6041d1a0365baa729b6adfb6ed5386d9388018db Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/7b9978e1c94e569d65a0e7e719abb9340f5db4a0 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/86bd6a579c6c60547706cabf299cd2c9feab3332 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/98106f100f50c487469903b9cf6d966785fc9cc3 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/ca17e7a532d1a55466cc007b3f4d319541a27493 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/e8123311cf06d7dae71e8c5fe78e0510d20cd30b Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/fa636e9ee4442215cd9a2e079cd5a8e1fe0cb8ba Types: Patch
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 27, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-416
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Feb. 26, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: media: pci: cx23885: Fix the error handling in cx23885_initdev() When the driver fails to call the dma_set_mask(), the driver will get the following splat: [ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240 [ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590 [ 55.856822] Call Trace: [ 55.860327] __process_removed_driver+0x3c/0x240 [ 55.861347] bus_for_each_dev+0x102/0x160 [ 55.861681] i2c_del_driver+0x2f/0x50 This is because the driver has initialized the i2c related resources in cx23885_dev_setup() but not released them in error handling, fix this bug by modifying the error path that jumps after failing to call the dma_set_mask().
    Added Reference https://git.kernel.org/stable/c/453514a874c78df1e7804e6e3aaa60c8d8deb6a8
    Added Reference https://git.kernel.org/stable/c/6041d1a0365baa729b6adfb6ed5386d9388018db
    Added Reference https://git.kernel.org/stable/c/7b9978e1c94e569d65a0e7e719abb9340f5db4a0
    Added Reference https://git.kernel.org/stable/c/86bd6a579c6c60547706cabf299cd2c9feab3332
    Added Reference https://git.kernel.org/stable/c/98106f100f50c487469903b9cf6d966785fc9cc3
    Added Reference https://git.kernel.org/stable/c/ca17e7a532d1a55466cc007b3f4d319541a27493
    Added Reference https://git.kernel.org/stable/c/e8123311cf06d7dae71e8c5fe78e0510d20cd30b
    Added Reference https://git.kernel.org/stable/c/fa636e9ee4442215cd9a2e079cd5a8e1fe0cb8ba
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 7.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact