CVE-2022-49505 (GCVE-0-2022-49505)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:13 – Updated: 2025-05-04 12:44
VLAI?
Title
NFC: NULL out the dev->rfkill to prevent UAF
Summary
In the Linux kernel, the following vulnerability has been resolved: NFC: NULL out the dev->rfkill to prevent UAF Commit 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device") assumes the device_is_registered() in function nfc_dev_up() will help to check when the rfkill is unregistered. However, this check only take effect when device_del(&dev->dev) is done in nfc_unregister_device(). Hence, the rfkill object is still possible be dereferenced. The crash trace in latest kernel (5.18-rc2): [ 68.760105] ================================================================== [ 68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750 [ 68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313 [ 68.760756] [ 68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4 [ 68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 68.760756] Call Trace: [ 68.760756] <TASK> [ 68.760756] dump_stack_lvl+0x57/0x7d [ 68.760756] print_report.cold+0x5e/0x5db [ 68.760756] ? __lock_acquire+0x3ec1/0x6750 [ 68.760756] kasan_report+0xbe/0x1c0 [ 68.760756] ? __lock_acquire+0x3ec1/0x6750 [ 68.760756] __lock_acquire+0x3ec1/0x6750 [ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 68.760756] ? register_lock_class+0x18d0/0x18d0 [ 68.760756] lock_acquire+0x1ac/0x4f0 [ 68.760756] ? rfkill_blocked+0xe/0x60 [ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 68.760756] ? mutex_lock_io_nested+0x12c0/0x12c0 [ 68.760756] ? nla_get_range_signed+0x540/0x540 [ 68.760756] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 68.760756] _raw_spin_lock_irqsave+0x39/0x50 [ 68.760756] ? rfkill_blocked+0xe/0x60 [ 68.760756] rfkill_blocked+0xe/0x60 [ 68.760756] nfc_dev_up+0x84/0x260 [ 68.760756] nfc_genl_dev_up+0x90/0xe0 [ 68.760756] genl_family_rcv_msg_doit+0x1f4/0x2f0 [ 68.760756] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230 [ 68.760756] ? security_capable+0x51/0x90 [ 68.760756] genl_rcv_msg+0x280/0x500 [ 68.760756] ? genl_get_cmd+0x3c0/0x3c0 [ 68.760756] ? lock_acquire+0x1ac/0x4f0 [ 68.760756] ? nfc_genl_dev_down+0xe0/0xe0 [ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 68.760756] netlink_rcv_skb+0x11b/0x340 [ 68.760756] ? genl_get_cmd+0x3c0/0x3c0 [ 68.760756] ? netlink_ack+0x9c0/0x9c0 [ 68.760756] ? netlink_deliver_tap+0x136/0xb00 [ 68.760756] genl_rcv+0x1f/0x30 [ 68.760756] netlink_unicast+0x430/0x710 [ 68.760756] ? memset+0x20/0x40 [ 68.760756] ? netlink_attachskb+0x740/0x740 [ 68.760756] ? __build_skb_around+0x1f4/0x2a0 [ 68.760756] netlink_sendmsg+0x75d/0xc00 [ 68.760756] ? netlink_unicast+0x710/0x710 [ 68.760756] ? netlink_unicast+0x710/0x710 [ 68.760756] sock_sendmsg+0xdf/0x110 [ 68.760756] __sys_sendto+0x19e/0x270 [ 68.760756] ? __ia32_sys_getpeername+0xa0/0xa0 [ 68.760756] ? fd_install+0x178/0x4c0 [ 68.760756] ? fd_install+0x195/0x4c0 [ 68.760756] ? kernel_fpu_begin_mask+0x1c0/0x1c0 [ 68.760756] __x64_sys_sendto+0xd8/0x1b0 [ 68.760756] ? lockdep_hardirqs_on+0xbf/0x130 [ 68.760756] ? syscall_enter_from_user_mode+0x1d/0x50 [ 68.760756] do_syscall_64+0x3b/0x90 [ 68.760756] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.760756] RIP: 0033:0x7f67fb50e6b3 ... [ 68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c [ 68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3 [ 68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003 [ 68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c [ 68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e [ 68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003 [ 68.760756] </TASK> [ 68.760756] [ 68.760756] Allocated by task 279: [ 68.760756] kasan_save_stack+0x1e/0x40 [ ---truncated---
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ff169909eac9e00bf1aa0af739ba6ddfb1b1d135 , < a8e03bcad52dc9afabf650fdbad84f739cec9efa (git)
Affected: 47244ac0b65bd74cc70007d8e1bac68bd2baad19 , < f81270125b50532624400063281e6611ecd61ddf (git)
Affected: c45cea83e13699bdfd47842e04d09dd43af4c371 , < 6abfaca8711803d0d7cc8c0fac1070a88509d463 (git)
Affected: 307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6 , < fbf9c4c714d3cdeb98b6a18e4d057f931cad1d81 (git)
Affected: 73a0d12114b4bc1a9def79a623264754b9df698e , < 2a1b5110c95e4d49c8c3906270dfcde680a5a7be (git)
Affected: 8a9c61c3ef187d8891225f9b932390670a43a0d3 , < 1632be63862f183cd5cf1cc094e698e6ec005dfd (git)
Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 4a68938f43b7c2663e4c90bb9bbe29ac8b9a42a0 (git)
Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 4f5d71930f41be78557f9714393179025baacd65 (git)
Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9 (git)
Affected: 5ef16d2d172ee56714cff37cd005b98aba08ef5a (git)
Create a notification for this product.
    Linux Linux Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 4.9.318 , ≤ 4.9.* (semver)
Unaffected: 4.14.283 , ≤ 4.14.* (semver)
Unaffected: 4.19.247 , ≤ 4.19.* (semver)
Unaffected: 5.4.198 , ≤ 5.4.* (semver)
Unaffected: 5.10.121 , ≤ 5.10.* (semver)
Unaffected: 5.15.46 , ≤ 5.15.* (semver)
Unaffected: 5.17.14 , ≤ 5.17.* (semver)
Unaffected: 5.18.3 , ≤ 5.18.* (semver)
Unaffected: 5.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49505",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:28.672028Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:28.632Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/nfc/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8e03bcad52dc9afabf650fdbad84f739cec9efa",
              "status": "affected",
              "version": "ff169909eac9e00bf1aa0af739ba6ddfb1b1d135",
              "versionType": "git"
            },
            {
              "lessThan": "f81270125b50532624400063281e6611ecd61ddf",
              "status": "affected",
              "version": "47244ac0b65bd74cc70007d8e1bac68bd2baad19",
              "versionType": "git"
            },
            {
              "lessThan": "6abfaca8711803d0d7cc8c0fac1070a88509d463",
              "status": "affected",
              "version": "c45cea83e13699bdfd47842e04d09dd43af4c371",
              "versionType": "git"
            },
            {
              "lessThan": "fbf9c4c714d3cdeb98b6a18e4d057f931cad1d81",
              "status": "affected",
              "version": "307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6",
              "versionType": "git"
            },
            {
              "lessThan": "2a1b5110c95e4d49c8c3906270dfcde680a5a7be",
              "status": "affected",
              "version": "73a0d12114b4bc1a9def79a623264754b9df698e",
              "versionType": "git"
            },
            {
              "lessThan": "1632be63862f183cd5cf1cc094e698e6ec005dfd",
              "status": "affected",
              "version": "8a9c61c3ef187d8891225f9b932390670a43a0d3",
              "versionType": "git"
            },
            {
              "lessThan": "4a68938f43b7c2663e4c90bb9bbe29ac8b9a42a0",
              "status": "affected",
              "version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
              "versionType": "git"
            },
            {
              "lessThan": "4f5d71930f41be78557f9714393179025baacd65",
              "status": "affected",
              "version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
              "versionType": "git"
            },
            {
              "lessThan": "1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9",
              "status": "affected",
              "version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5ef16d2d172ee56714cff37cd005b98aba08ef5a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/nfc/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.318",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.283",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.318",
                  "versionStartIncluding": "4.9.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.283",
                  "versionStartIncluding": "4.14.256",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.247",
                  "versionStartIncluding": "4.19.218",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.198",
                  "versionStartIncluding": "5.4.162",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.121",
                  "versionStartIncluding": "5.10.82",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.46",
                  "versionStartIncluding": "5.15.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.14",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.3",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.293",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: NULL out the dev-\u003erfkill to prevent UAF\n\nCommit 3e3b5dfcd16a (\"NFC: reorder the logic in nfc_{un,}register_device\")\nassumes the device_is_registered() in function nfc_dev_up() will help\nto check when the rfkill is unregistered. However, this check only\ntake effect when device_del(\u0026dev-\u003edev) is done in nfc_unregister_device().\nHence, the rfkill object is still possible be dereferenced.\n\nThe crash trace in latest kernel (5.18-rc2):\n\n[   68.760105] ==================================================================\n[   68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750\n[   68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313\n[   68.760756]\n[   68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4\n[   68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[   68.760756] Call Trace:\n[   68.760756]  \u003cTASK\u003e\n[   68.760756]  dump_stack_lvl+0x57/0x7d\n[   68.760756]  print_report.cold+0x5e/0x5db\n[   68.760756]  ? __lock_acquire+0x3ec1/0x6750\n[   68.760756]  kasan_report+0xbe/0x1c0\n[   68.760756]  ? __lock_acquire+0x3ec1/0x6750\n[   68.760756]  __lock_acquire+0x3ec1/0x6750\n[   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410\n[   68.760756]  ? register_lock_class+0x18d0/0x18d0\n[   68.760756]  lock_acquire+0x1ac/0x4f0\n[   68.760756]  ? rfkill_blocked+0xe/0x60\n[   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410\n[   68.760756]  ? mutex_lock_io_nested+0x12c0/0x12c0\n[   68.760756]  ? nla_get_range_signed+0x540/0x540\n[   68.760756]  ? _raw_spin_lock_irqsave+0x4e/0x50\n[   68.760756]  _raw_spin_lock_irqsave+0x39/0x50\n[   68.760756]  ? rfkill_blocked+0xe/0x60\n[   68.760756]  rfkill_blocked+0xe/0x60\n[   68.760756]  nfc_dev_up+0x84/0x260\n[   68.760756]  nfc_genl_dev_up+0x90/0xe0\n[   68.760756]  genl_family_rcv_msg_doit+0x1f4/0x2f0\n[   68.760756]  ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230\n[   68.760756]  ? security_capable+0x51/0x90\n[   68.760756]  genl_rcv_msg+0x280/0x500\n[   68.760756]  ? genl_get_cmd+0x3c0/0x3c0\n[   68.760756]  ? lock_acquire+0x1ac/0x4f0\n[   68.760756]  ? nfc_genl_dev_down+0xe0/0xe0\n[   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410\n[   68.760756]  netlink_rcv_skb+0x11b/0x340\n[   68.760756]  ? genl_get_cmd+0x3c0/0x3c0\n[   68.760756]  ? netlink_ack+0x9c0/0x9c0\n[   68.760756]  ? netlink_deliver_tap+0x136/0xb00\n[   68.760756]  genl_rcv+0x1f/0x30\n[   68.760756]  netlink_unicast+0x430/0x710\n[   68.760756]  ? memset+0x20/0x40\n[   68.760756]  ? netlink_attachskb+0x740/0x740\n[   68.760756]  ? __build_skb_around+0x1f4/0x2a0\n[   68.760756]  netlink_sendmsg+0x75d/0xc00\n[   68.760756]  ? netlink_unicast+0x710/0x710\n[   68.760756]  ? netlink_unicast+0x710/0x710\n[   68.760756]  sock_sendmsg+0xdf/0x110\n[   68.760756]  __sys_sendto+0x19e/0x270\n[   68.760756]  ? __ia32_sys_getpeername+0xa0/0xa0\n[   68.760756]  ? fd_install+0x178/0x4c0\n[   68.760756]  ? fd_install+0x195/0x4c0\n[   68.760756]  ? kernel_fpu_begin_mask+0x1c0/0x1c0\n[   68.760756]  __x64_sys_sendto+0xd8/0x1b0\n[   68.760756]  ? lockdep_hardirqs_on+0xbf/0x130\n[   68.760756]  ? syscall_enter_from_user_mode+0x1d/0x50\n[   68.760756]  do_syscall_64+0x3b/0x90\n[   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[   68.760756] RIP: 0033:0x7f67fb50e6b3\n...\n[   68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\n[   68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3\n[   68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003\n[   68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c\n[   68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e\n[   68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003\n\n[   68.760756]  \u003c/TASK\u003e\n[   68.760756]\n[   68.760756] Allocated by task 279:\n[   68.760756]  kasan_save_stack+0x1e/0x40\n[\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:44:52.412Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8e03bcad52dc9afabf650fdbad84f739cec9efa"
        },
        {
          "url": "https://git.kernel.org/stable/c/f81270125b50532624400063281e6611ecd61ddf"
        },
        {
          "url": "https://git.kernel.org/stable/c/6abfaca8711803d0d7cc8c0fac1070a88509d463"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbf9c4c714d3cdeb98b6a18e4d057f931cad1d81"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a1b5110c95e4d49c8c3906270dfcde680a5a7be"
        },
        {
          "url": "https://git.kernel.org/stable/c/1632be63862f183cd5cf1cc094e698e6ec005dfd"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a68938f43b7c2663e4c90bb9bbe29ac8b9a42a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f5d71930f41be78557f9714393179025baacd65"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9"
        }
      ],
      "title": "NFC: NULL out the dev-\u003erfkill to prevent UAF",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49505",
    "datePublished": "2025-02-26T02:13:37.496Z",
    "dateReserved": "2025-02-26T02:08:31.586Z",
    "dateUpdated": "2025-05-04T12:44:52.412Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-49505\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T17:58:28.672028Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T17:58:30.297Z\"}}], \"cna\": {\"title\": \"NFC: NULL out the dev-\u003erfkill to prevent UAF\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"ff169909eac9e00bf1aa0af739ba6ddfb1b1d135\", \"lessThan\": \"a8e03bcad52dc9afabf650fdbad84f739cec9efa\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"47244ac0b65bd74cc70007d8e1bac68bd2baad19\", \"lessThan\": \"f81270125b50532624400063281e6611ecd61ddf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"c45cea83e13699bdfd47842e04d09dd43af4c371\", \"lessThan\": \"6abfaca8711803d0d7cc8c0fac1070a88509d463\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6\", \"lessThan\": \"fbf9c4c714d3cdeb98b6a18e4d057f931cad1d81\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"73a0d12114b4bc1a9def79a623264754b9df698e\", \"lessThan\": \"2a1b5110c95e4d49c8c3906270dfcde680a5a7be\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8a9c61c3ef187d8891225f9b932390670a43a0d3\", \"lessThan\": \"1632be63862f183cd5cf1cc094e698e6ec005dfd\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"3e3b5dfcd16a3e254aab61bd1e8c417dd4503102\", \"lessThan\": \"4a68938f43b7c2663e4c90bb9bbe29ac8b9a42a0\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"3e3b5dfcd16a3e254aab61bd1e8c417dd4503102\", \"lessThan\": \"4f5d71930f41be78557f9714393179025baacd65\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"3e3b5dfcd16a3e254aab61bd1e8c417dd4503102\", \"lessThan\": \"1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"5ef16d2d172ee56714cff37cd005b98aba08ef5a\", \"versionType\": \"git\"}], \"programFiles\": [\"net/nfc/core.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.16\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.16\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.9.318\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.9.*\"}, {\"status\": \"unaffected\", \"version\": \"4.14.283\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.14.*\"}, {\"status\": \"unaffected\", \"version\": \"4.19.247\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.198\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.121\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.46\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.17.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.17.*\"}, {\"status\": \"unaffected\", \"version\": \"5.18.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.18.*\"}, {\"status\": \"unaffected\", \"version\": \"5.19\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/nfc/core.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/a8e03bcad52dc9afabf650fdbad84f739cec9efa\"}, {\"url\": \"https://git.kernel.org/stable/c/f81270125b50532624400063281e6611ecd61ddf\"}, {\"url\": \"https://git.kernel.org/stable/c/6abfaca8711803d0d7cc8c0fac1070a88509d463\"}, {\"url\": \"https://git.kernel.org/stable/c/fbf9c4c714d3cdeb98b6a18e4d057f931cad1d81\"}, {\"url\": \"https://git.kernel.org/stable/c/2a1b5110c95e4d49c8c3906270dfcde680a5a7be\"}, {\"url\": \"https://git.kernel.org/stable/c/1632be63862f183cd5cf1cc094e698e6ec005dfd\"}, {\"url\": \"https://git.kernel.org/stable/c/4a68938f43b7c2663e4c90bb9bbe29ac8b9a42a0\"}, {\"url\": \"https://git.kernel.org/stable/c/4f5d71930f41be78557f9714393179025baacd65\"}, {\"url\": \"https://git.kernel.org/stable/c/1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nNFC: NULL out the dev-\u003erfkill to prevent UAF\\n\\nCommit 3e3b5dfcd16a (\\\"NFC: reorder the logic in nfc_{un,}register_device\\\")\\nassumes the device_is_registered() in function nfc_dev_up() will help\\nto check when the rfkill is unregistered. However, this check only\\ntake effect when device_del(\u0026dev-\u003edev) is done in nfc_unregister_device().\\nHence, the rfkill object is still possible be dereferenced.\\n\\nThe crash trace in latest kernel (5.18-rc2):\\n\\n[   68.760105] ==================================================================\\n[   68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750\\n[   68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313\\n[   68.760756]\\n[   68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4\\n[   68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n[   68.760756] Call Trace:\\n[   68.760756]  \u003cTASK\u003e\\n[   68.760756]  dump_stack_lvl+0x57/0x7d\\n[   68.760756]  print_report.cold+0x5e/0x5db\\n[   68.760756]  ? __lock_acquire+0x3ec1/0x6750\\n[   68.760756]  kasan_report+0xbe/0x1c0\\n[   68.760756]  ? __lock_acquire+0x3ec1/0x6750\\n[   68.760756]  __lock_acquire+0x3ec1/0x6750\\n[   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410\\n[   68.760756]  ? register_lock_class+0x18d0/0x18d0\\n[   68.760756]  lock_acquire+0x1ac/0x4f0\\n[   68.760756]  ? rfkill_blocked+0xe/0x60\\n[   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410\\n[   68.760756]  ? mutex_lock_io_nested+0x12c0/0x12c0\\n[   68.760756]  ? nla_get_range_signed+0x540/0x540\\n[   68.760756]  ? _raw_spin_lock_irqsave+0x4e/0x50\\n[   68.760756]  _raw_spin_lock_irqsave+0x39/0x50\\n[   68.760756]  ? rfkill_blocked+0xe/0x60\\n[   68.760756]  rfkill_blocked+0xe/0x60\\n[   68.760756]  nfc_dev_up+0x84/0x260\\n[   68.760756]  nfc_genl_dev_up+0x90/0xe0\\n[   68.760756]  genl_family_rcv_msg_doit+0x1f4/0x2f0\\n[   68.760756]  ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230\\n[   68.760756]  ? security_capable+0x51/0x90\\n[   68.760756]  genl_rcv_msg+0x280/0x500\\n[   68.760756]  ? genl_get_cmd+0x3c0/0x3c0\\n[   68.760756]  ? lock_acquire+0x1ac/0x4f0\\n[   68.760756]  ? nfc_genl_dev_down+0xe0/0xe0\\n[   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410\\n[   68.760756]  netlink_rcv_skb+0x11b/0x340\\n[   68.760756]  ? genl_get_cmd+0x3c0/0x3c0\\n[   68.760756]  ? netlink_ack+0x9c0/0x9c0\\n[   68.760756]  ? netlink_deliver_tap+0x136/0xb00\\n[   68.760756]  genl_rcv+0x1f/0x30\\n[   68.760756]  netlink_unicast+0x430/0x710\\n[   68.760756]  ? memset+0x20/0x40\\n[   68.760756]  ? netlink_attachskb+0x740/0x740\\n[   68.760756]  ? __build_skb_around+0x1f4/0x2a0\\n[   68.760756]  netlink_sendmsg+0x75d/0xc00\\n[   68.760756]  ? netlink_unicast+0x710/0x710\\n[   68.760756]  ? netlink_unicast+0x710/0x710\\n[   68.760756]  sock_sendmsg+0xdf/0x110\\n[   68.760756]  __sys_sendto+0x19e/0x270\\n[   68.760756]  ? __ia32_sys_getpeername+0xa0/0xa0\\n[   68.760756]  ? fd_install+0x178/0x4c0\\n[   68.760756]  ? fd_install+0x195/0x4c0\\n[   68.760756]  ? kernel_fpu_begin_mask+0x1c0/0x1c0\\n[   68.760756]  __x64_sys_sendto+0xd8/0x1b0\\n[   68.760756]  ? lockdep_hardirqs_on+0xbf/0x130\\n[   68.760756]  ? syscall_enter_from_user_mode+0x1d/0x50\\n[   68.760756]  do_syscall_64+0x3b/0x90\\n[   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae\\n[   68.760756] RIP: 0033:0x7f67fb50e6b3\\n...\\n[   68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\\n[   68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3\\n[   68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003\\n[   68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c\\n[   68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e\\n[   68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003\\n\\n[   68.760756]  \u003c/TASK\u003e\\n[   68.760756]\\n[   68.760756] Allocated by task 279:\\n[   68.760756]  kasan_save_stack+0x1e/0x40\\n[\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.9.318\", \"versionStartIncluding\": \"4.9.291\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.14.283\", \"versionStartIncluding\": \"4.14.256\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.247\", \"versionStartIncluding\": \"4.19.218\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.198\", \"versionStartIncluding\": \"5.4.162\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.121\", \"versionStartIncluding\": \"5.10.82\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.46\", \"versionStartIncluding\": \"5.15.5\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.17.14\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.18.3\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.19\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"4.4.293\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:44:52.412Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-49505\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:44:52.412Z\", \"dateReserved\": \"2025-02-26T02:08:31.586Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-02-26T02:13:37.496Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.