CVE-2022-49686

CVE-2022-49686 is a vulnerability in the Linux kernel's USB gadget UVC (USB Video Class) driver, specifically within the uvcg_video_pump function. It arises from a list double-add error where a USB request is added back to the req_free list after already being queued to an endpoint, particularly when the endpoint becomes disabled. This triggers a kernel panic due to list debug checks failing, as evidenced by kernel logs showing a BUG at lib/list_debug.c:31 during uvc_function_set_alt execution. The issue is classified under CWE-415 (Double Free) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability by interacting with the USB gadget UVC configuration, such as disabling an endpoint during video pump operations. This leads to the double addition of a request to the req_free list—once by the endpoint completion handler and again by uvcg_video_pump—resulting in a detected list corruption and immediate kernel panic. The attacker achieves denial of service through system crash, with high impacts on confidentiality, integrity, and availability due to the kernel-level disruption.

Mitigation involves applying the upstream kernel patches referenced in the stable commit logs. The fix invalidates the local request handle after queuing to prevent re-addition to the req_free list, as implemented in commits like 96163f835e65 (stable queue) and d95ac8b920de (related stable update). Security practitioners should update affected Linux kernels to versions incorporating these changes.