#VU104492 Use-after-free in Linux kernel - CVE-2022-49175


Vulnerability identifier: #VU104492

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-49175

CWE-ID: CWE-416

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the pm_ops_is_empty() and device_pm_check_callbacks() functions in drivers/base/power/main.c. A local user can escalate privileges on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/0cccf9d4fb45f1acbc0bbf6d7e4d8d0fb7a10416
https://git.kernel.org/stable/c/2add538e57a2825c61d639260386f385c75e4166
https://git.kernel.org/stable/c/3ec80d52b9b74b9e691997632a543c73eddfeba0
https://git.kernel.org/stable/c/524bb1da785a7ae43dd413cd392b5071c6c367f8
https://git.kernel.org/stable/c/78c4d68b952f5f537788dbd454031ea9bf50f642
https://git.kernel.org/stable/c/be8bc05f38d667eda1e820bc6f69234795be7809
https://git.kernel.org/stable/c/c29642ba72f87c0a3d7449f7db5d6d76a7ed53c3
https://git.kernel.org/stable/c/c7c0ec5a1dcc3eaa1e85c804c2ccf46e457788a3
https://git.kernel.org/stable/c/ede1ef1a7de973321699736ef96d01a4b9a6fe9e

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
Use-after-free in Linux kernel base power driver