Cyber Posture

CVE-2022-49493

High

Published: 26 February 2025

Published
26 February 2025
Modified
03 September 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 20.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: ASoC: rt5645: Fix errorenous cleanup order There is a logic error when removing rt5645 device as the function rt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and delete the &rt5645->btn_check_timer latter. However, since the timer handler rt5645_btn_check_callback() will re-queue the jack_detect_work, this cleanup order is buggy. That is, once the del_timer_sync in rt5645_i2c_remove is concurrently run with the rt5645_btn_check_callback, the canceled jack_detect_work will be rescheduled again, leading to possible use-after-free. This patch fix the issue by placing the del_timer_sync function before the cancel_delayed_work_sync.

Security Summary

CVE-2022-49493 is a use-after-free vulnerability in the Linux kernel's ASoC rt5645 driver. The issue stems from a logic error in the rt5645_i2c_remove() function, which cancels the jack_detect_work before deleting the btn_check_timer. Since the timer's handler, rt5645_btn_check_callback(), re-queues the jack_detect_work, this order can lead to the canceled work being rescheduled during concurrent execution of del_timer_sync, resulting in a use-after-free (CWE-416).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or system crashes on affected systems using the rt5645 audio codec driver.

The referenced kernel stable commits provide the fix by reordering the cleanup to call del_timer_sync before cancel_delayed_work_sync in rt5645_i2c_remove(), preventing the race condition. Security practitioners should apply these patches to vulnerable Linux kernel versions incorporating the rt5645 driver.

Details

CWE(s)
CWE-416

Affected Products

linux
linux kernel
≤ 4.9.318 · 4.10 — 4.14.283 · 4.15 — 4.19.247

References