CVE-2022-49535

CVE-2022-49535 is a use-after-free vulnerability in the Linux kernel's lpfc SCSI driver, leading to a null pointer dereference. The issue arises when lpfc_issue_els_flogi() fails and returns a non-zero status, causing the node reference count to decrement and potentially release the nodelist structure prematurely if prior registration or dev-loss-evt work is pending. A similar problem occurs in lpfc_cmpl_els_plogi() during non-zero ELS PLOGI completion, where ndlp flags are checked before node removal, allowing dev-loss-evt to reference a freed node. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering FLOGI or PLOGI failures in the lpfc driver while dev-loss-evt work is pending, leading to a use-after-free condition. Successful exploitation could result in high confidentiality, integrity, and availability impacts, such as kernel crashes, denial of service, or potential arbitrary code execution within the kernel context.

Mitigation is provided through kernel patches referenced in stable commit 10663ebec0ad5c78493a0dd34c9ee4d73d7ca0df, which adds checks for pending dev-loss events before decrementing the node reference count in FLOGI, PLOGI, PRLI, and ADISC handling. Additional fixes appear in commits 577a942df3de2666f6947bdd3a5c9e8d30073424 and c7dc74ab7975c9b96284abfe4cca756d75fa4604, addressing the premature release and subsequent dereferences in the lpfc driver. Security practitioners should apply these upstream kernel updates to affected systems using the lpfc driver.