CVE-2022-49426
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-v3-sva: Fix mm use-after-free We currently call arm64_mm_context_put() without holding a reference to the mm, which can result in use-after-free. Call mmgrab()/mmdrop() to ensure the mm only gets freed after we unpinned the ASID.
Security Summary
CVE-2022-49426 is a use-after-free vulnerability in the Linux kernel's IOMMU implementation for ARM SMMUv3 with Shared Virtual Addressing (SVA) support. The issue arises when arm64_mm_context_put() is called without holding a reference to the mm_struct, potentially leading to a use-after-free condition before the ASID is unpinned. This flaw, classified under CWE-416, affects Linux kernel versions prior to the application of the relevant stable patches and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing the attacker to escalate privileges or cause denial of service within the affected kernel context.
Mitigation involves applying the upstream patches from the provided stable kernel commit references, including 9aa215450888cf29af0c479e14a712dc6b0c506c, cbd23144f7662b00bcde32a938c4a4057e476d68, e3cbbdbff8a4db5d053c53fd71be62ccccdb52b0, and fc90f13ea0dcd960e5002d204fa55cec4e0db2fa. These commits introduce mmgrab() and mmdrop() calls to properly manage the mm_struct reference, ensuring it is not freed prematurely. Security practitioners should update affected Linux kernels to versions incorporating these fixes.
Details
- CWE(s)