CVE-2022-49275
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: can: m_can: m_can_tx_handler(): fix use after free of skb can_put_echo_skb() will clone skb then free the skb. Move the can_put_echo_skb() for the m_can version 3.0.x directly before the start of the xmit in hardware, similar to the 3.1.x branch.
Security Summary
CVE-2022-49275 is a use-after-free vulnerability in the Linux kernel's CAN subsystem, specifically within the m_can driver's m_can_tx_handler() function for m_can version 3.0.x. The issue arises because can_put_echo_skb() clones the socket buffer (skb) and then frees it, leading to a use-after-free condition if not handled properly before hardware transmission. This flaw is classified under CWE-416 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or system crashes through manipulation of the freed skb during transmission handling.
Mitigation involves applying the upstream kernel patches from the provided stable commit references, which resolve the issue by relocating the can_put_echo_skb() call directly before hardware transmission initiation in m_can 3.0.x, mirroring the approach already used in the 3.1.x branch. These patches are available at git.kernel.org/stable for integration into affected Linux kernel versions.
Details
- CWE(s)