CVE-2022-49493

In the Linux kernel, the following vulnerability has been resolved: ASoC: rt5645: Fix errorenous cleanup order There is a logic error when removing rt5645 device as the function rt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and delete the &rt5645->btn_check_timer latter. However, since the timer handler rt5645_btn_check_callback() will re-queue the jack_detect_work, this cleanup order is buggy. That is, once the del_timer_sync in rt5645_i2c_remove is concurrently run with the rt5645_btn_check_callback, the canceled jack_detect_work will be rescheduled again, leading to possible use-after-free. This patch fix the issue by placing the del_timer_sync function before the cancel_delayed_work_sync.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/061a6159cea583f1155f67d1915917a6b9282662	Patch
https://git.kernel.org/stable/c/0941150100173d4eaf3fe08ff4b16740e7c3026f	Patch
https://git.kernel.org/stable/c/1a5a3dfd9f172dcb115072f0aea5e27d3083c20e	Patch
https://git.kernel.org/stable/c/236d29c5857f02e0a53fdf15d3dce1536c4322ce	Patch
https://git.kernel.org/stable/c/2def44d3aec59e38d2701c568d65540783f90f2f	Patch
https://git.kernel.org/stable/c/453f0920ffc1a28e28ddb9c3cd5562472b2895b0	Patch
https://git.kernel.org/stable/c/88c09e4812d72c3153afc8e5a45ecac2d0eae3ff	Patch
https://git.kernel.org/stable/c/abe7554da62cb489712a54de69ef5665c250e564	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2025-02-26 07:01

Updated : 2025-09-03 17:15

NVD link : CVE-2022-49493

Mitre link : CVE-2022-49493

CVE.ORG link : CVE-2022-49493

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2022-49493", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:25.520", "references": [{"url": "https://git.kernel.org/stable/c/061a6159cea583f1155f67d1915917a6b9282662", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0941150100173d4eaf3fe08ff4b16740e7c3026f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1a5a3dfd9f172dcb115072f0aea5e27d3083c20e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/236d29c5857f02e0a53fdf15d3dce1536c4322ce", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2def44d3aec59e38d2701c568d65540783f90f2f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/453f0920ffc1a28e28ddb9c3cd5562472b2895b0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/88c09e4812d72c3153afc8e5a45ecac2d0eae3ff", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/abe7554da62cb489712a54de69ef5665c250e564", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt5645: Fix errorenous cleanup order\n\nThere is a logic error when removing rt5645 device as the function\nrt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and\ndelete the &rt5645->btn_check_timer latter. However, since the timer\nhandler rt5645_btn_check_callback() will re-queue the jack_detect_work,\nthis cleanup order is buggy.\n\nThat is, once the del_timer_sync in rt5645_i2c_remove is concurrently\nrun with the rt5645_btn_check_callback, the canceled jack_detect_work\nwill be rescheduled again, leading to possible use-after-free.\n\nThis patch fix the issue by placing the del_timer_sync function before\nthe cancel_delayed_work_sync."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: rt5645: Se corrige el orden de depuraci\u00f3n err\u00f3neo Hay un error l\u00f3gico al eliminar el dispositivo rt5645, ya que la funci\u00f3n rt5645_i2c_remove() primero cancela &rt5645->jack_detect_work y elimina &rt5645->btn_check_timer despu\u00e9s. Sin embargo, dado que el controlador del temporizador rt5645_btn_check_callback() volver\u00e1 a poner en cola jack_detect_work, este orden de limpieza tiene errores. Es decir, una vez que del_timer_sync en rt5645_i2c_remove se ejecuta simult\u00e1neamente con rt5645_btn_check_callback, el jack_detect_work cancelado se reprogramar\u00e1 nuevamente, lo que provocar\u00e1 un posible use-after-free. Este parche soluciona el problema colocando la funci\u00f3n del_timer_sync antes de cancel_delayed_work_sync."}], "lastModified": "2025-09-03T17:15:32.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D4D4067-974D-4560-8320-22FDA399E3F9", "versionEndExcluding": "4.9.318"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6823775-2653-4644-A0D4-4E6E68F10C65", "versionEndExcluding": "4.14.283", "versionStartIncluding": "4.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8CFA0F4-2D75-41F4-9753-87944A08B53B", "versionEndExcluding": "4.19.247", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EC49633-14DE-4EBD-BB80-76AE2E3EABB9", "versionEndExcluding": "5.4.198", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34ACD872-E5BC-401C-93D5-B357A62426E0", "versionEndExcluding": "5.10.121", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20D41697-0E8B-4B7D-8842-F17BF2AA21E1", "versionEndExcluding": "5.15.46", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}