CVE-2022-49755
Published: 27 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2022-49755 is a use-after-free vulnerability in the Linux kernel's USB gadget subsystem, specifically within the f_fs (functionfs) component. The issue arises during fast composition switch operations, where ffs_ep0_write or ffs_ep0_read can race with functionfs_unbind. In this race, functionfs_unbind frees the ep0req structure and sets it to NULL, but ffs_ep0_queue_wait lacks a NULL check after acquiring the &ffs->ev.waitq.lock, leading to a use-after-free (CWE-416). The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the race condition during USB gadget composition switches. Successful exploitation could allow the attacker to achieve high confidentiality, integrity, and availability impacts, potentially including arbitrary code execution or system crashes due to the use-after-free.
Mitigation involves applying the relevant Linux kernel stable patches, as detailed in the commit references. These patches serialize execution between ffs_ep0_queue_wait and functionfs_unbind by introducing a mutex_lock(ffs->mutex), preventing the race. Affected kernel versions are those prior to the application of commits such as 6a19da111057, 6aee197b7fbcd615, 6dd9ea05534f, a8d40942df074, and ae8e136bcaae.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
This local kernel use-after-free vulnerability enables arbitrary code execution from a low-privileged user context during USB gadget operations, directly mapping to exploitation for privilege escalation.