Cyber Posture

CVE-2022-49685

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: iio: trigger: sysfs: fix use-after-free on remove Ensure that the irq_work has completed before the trigger is freed. ================================================================== BUG: KASAN: use-after-free in irq_work_run_list Read of size 8 at addr 0000000064702248 by task python3/25 Call Trace: irq_work_run_list irq_work_tick update_process_times tick_sched_handle tick_sched_timer __hrtimer_run_queues hrtimer_interrupt Allocated by task 25: kmem_cache_alloc_trace iio_sysfs_trig_add dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write Freed by task 25: kfree iio_sysfs_trig_remove dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write ==================================================================

Security Summary

CVE-2022-49685 is a use-after-free vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically in the sysfs trigger interface. The issue arises during trigger removal via sysfs attributes, where the trigger is freed before the associated irq_work completes, leading to a read-after-free detected by KASAN in functions like irq_work_run_list. This affects kernels with IIO sysfs trigger support, as evidenced by allocation in iio_sysfs_trig_add and freeing in iio_sysfs_trig_remove during sysfs writes.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By writing to the relevant sysfs attributes—such as through a process like Python scripting sysfs files—the attacker can trigger the add/remove sequence, causing the use-after-free when irq_work_tick processes the pending work post-free. Successful exploitation yields high confidentiality, integrity, and availability impacts (CVSS 7.8), potentially allowing arbitrary code execution, data corruption, or kernel crashes.

Mitigation involves applying upstream kernel patches from the provided stable branch commits, such as 31ff3309b47d98313c61b8301bf595820cc3cc33 and others, which ensure irq_work completion before freeing the trigger. Security practitioners should update affected Linux distributions or kernels to versions incorporating these fixes.

Details

CWE(s)
CWE-416

Affected Products

linux
linux kernel
5.19 · 3.7 — 4.9.321 · 4.10 — 4.14.286 · 4.15 — 4.19.250

References