CVE-2022-49524

High

Published: 26 February 2025

Published

26 February 2025

Modified

24 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: media: pci: cx23885: Fix the error handling in cx23885_initdev() When the driver fails to call the dma_set_mask(), the driver will get the following splat: [ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240 [ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590 [ 55.856822] Call Trace: [ 55.860327] __process_removed_driver+0x3c/0x240 [ 55.861347] bus_for_each_dev+0x102/0x160 [ 55.861681] i2c_del_driver+0x2f/0x50 This is because the driver has initialized the i2c related resources in cx23885_dev_setup() but not released them in error handling, fix this bug by modifying the error path that jumps after failing to call the dma_set_mask().

Security Summary

CVE-2022-49524 is a use-after-free vulnerability (CWE-416) in the Linux kernel's cx23885 PCI driver, which handles media devices such as video capture cards. The issue arises in the cx23885_initdev() function due to flawed error handling: when dma_set_mask() fails, the driver has already initialized i2c-related resources in cx23885_dev_setup() but does not release them before jumping to the error path. This leads to a use-after-free detected by KASAN, manifesting as a splat in __process_removed_driver() during i2c driver removal, with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability by triggering the faulty initialization path in the cx23885 driver. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), potentially allowing arbitrary code execution, privilege escalation, or system crashes via the use-after-free condition during driver error handling or removal.

The provided references point to stable kernel patch commits that address the issue by modifying the error path in cx23885_initdev() to properly release i2c resources after a dma_set_mask() failure. Security practitioners should apply these upstream fixes to affected Linux kernel versions supporting the cx23885 driver to mitigate the vulnerability.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

≤ 4.14.283 · 4.15 — 4.19.247 · 4.20 — 5.4.198

References

https://git.kernel.org/stable/c/453514a874c78df1e7804e6e3aaa60c8d8deb6a8
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6041d1a0365baa729b6adfb6ed5386d9388018db
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7b9978e1c94e569d65a0e7e719abb9340f5db4a0
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/86bd6a579c6c60547706cabf299cd2c9feab3332
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/98106f100f50c487469903b9cf6d966785fc9cc3
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ca17e7a532d1a55466cc007b3f4d319541a27493
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e8123311cf06d7dae71e8c5fe78e0510d20cd30b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fa636e9ee4442215cd9a2e079cd5a8e1fe0cb8ba
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67