Cyber Posture

CVE-2022-49419

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: video: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup Commit b3c9a924aab6 ("fbdev: vesafb: Cleanup fb_info in .fb_destroy rather than .remove") fixed a use-after-free error due the vesafb driver freeing the fb_info in the .remove handler instead of doing it in .fb_destroy. This can happen if the .fb_destroy callback is executed after the .remove callback, since the former tries to access a pointer freed by the latter. But that change didn't take into account that another possible scenario is that .fb_destroy is called before the .remove callback. For example, if no process has the fbdev chardev opened by the time the driver is removed. If that's the case, fb_info will be freed when unregister_framebuffer() is called, making the fb_info pointer accessed in vesafb_remove() after that to no longer be valid. To prevent that, move the expression containing the info->par to happen before the unregister_framebuffer() function call.

Security Summary

CVE-2022-49419 is a use-after-free vulnerability in the Linux kernel's vesafb framebuffer device driver within the fbdev subsystem. The issue arises from early cleanup of the fb_info structure when the .fb_destroy callback executes before the .remove callback, for example, if no process has the fbdev chardev open at the time the driver is removed. This causes vesafb_remove() to access the already-freed fb_info pointer after unregister_framebuffer() is called. A prior commit, b3c9a924aab6, addressed a related use-after-free but overlooked this scenario.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. A local attacker with low privileges can exploit it without user interaction, potentially achieving high impacts on confidentiality, integrity, and availability through arbitrary code execution, data corruption, or denial of service.

Mitigation requires updating to Linux kernel versions incorporating the fix commits from the stable repository, such as 0fac5f8fb1bc2fc4f8714bf5e743c9cc3f547c63, acde4003efc16480375543638484d8f13f2e99a3, d260cad015945d1f4bb9b028a096f648506106a2, and f605f5558ecc175ec70016a3c15f007cb6386531. These patches relocate the access to info->par before the unregister_framebuffer() call to ensure the pointer remains valid.

Details

CWE(s)
CWE-416

Affected Products

linux
linux kernel
5.15.41 — 5.15.46 · 5.17.9 — 5.17.14 · 5.18 — 5.18.3

References