-
CVE-2022-50220
- EPSS 0.05%
- Published 18.06.2025 11:03:55
- Last modified 18.06.2025 13:47:40
- Source 416baaa9-dc9f-4396-8d5f-8c081f
- Teams watchlist Login
- Open Login
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Fix linkwatch use-after-free on disconnect
usbnet uses the work usbnet_deferred_kevent() to perform tasks which may
sleep. On disconnect, completion of the work was originally awaited in
->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic
commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock":
https://git.kernel.org/tglx/history/c/0f138bbfd83c
The change was made because back then, the kernel's workqueue
implementation did not allow waiting for a single work. One had to wait
for completion of *all* work by calling flush_scheduled_work(), and that
could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex
held in ->ndo_stop().
The commit solved one problem but created another: It causes a
use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c,
ax88179_178a.c, ch9200.c and smsc75xx.c:
* If the drivers receive a link change interrupt immediately before
disconnect, they raise EVENT_LINK_RESET in their (non-sleepable)
->status() callback and schedule usbnet_deferred_kevent().
* usbnet_deferred_kevent() invokes the driver's ->link_reset() callback,
which calls netif_carrier_{on,off}().
* That in turn schedules the work linkwatch_event().
Because usbnet_deferred_kevent() is awaited after unregister_netdev(),
netif_carrier_{on,off}() may operate on an unregistered netdev and
linkwatch_event() may run after free_netdev(), causing a use-after-free.
In 2010, usbnet was changed to only wait for a single instance of
usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf
("drivers/net: don't use flush_scheduled_work()").
Unfortunately the commit neglected to move the wait back to
->ndo_stop(). Rectify that omission at long last.Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
≫
Product
Linux
Default Statusunaffected
Version <
d2d6b530d89b0a912148018027386aa049f0a309
Version
23f333a2bfafba80339315b724808982a9de57d9
Status
affected
Version <
e2a521a7dcc463c5017b4426ca0804e151faeff7
Version
23f333a2bfafba80339315b724808982a9de57d9
Status
affected
Version <
7f77dcbc030c2faa6d8e8a594985eeb34018409e
Version
23f333a2bfafba80339315b724808982a9de57d9
Status
affected
Version <
8b4588b8b00b299be16a35be67b331d8fdba03f3
Version
23f333a2bfafba80339315b724808982a9de57d9
Status
affected
Version <
135199a2edd459d2b123144efcd7f9bcd95128e4
Version
23f333a2bfafba80339315b724808982a9de57d9
Status
affected
Version <
635fd8953e4309b54ca6a81bed1d4a87668694f4
Version
23f333a2bfafba80339315b724808982a9de57d9
Status
affected
Version <
d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f
Version
23f333a2bfafba80339315b724808982a9de57d9
Status
affected
Version <
db3b738ae5f726204876f4303c49cfdf4311403f
Version
23f333a2bfafba80339315b724808982a9de57d9
Status
affected
Version <
a69e617e533edddf3fa3123149900f36e0a6dc74
Version
23f333a2bfafba80339315b724808982a9de57d9
Status
affected
VendorLinux
≫
Product
Linux
Default Statusaffected
Version
2.6.38
Status
affected
Version <
2.6.38
Version
0
Status
unaffected
Version <=
4.9.*
Version
4.9.326
Status
unaffected
Version <=
4.14.*
Version
4.14.291
Status
unaffected
Version <=
4.19.*
Version
4.19.256
Status
unaffected
Version <=
5.4.*
Version
5.4.211
Status
unaffected
Version <=
5.10.*
Version
5.10.137
Status
unaffected
Version <=
5.15.*
Version
5.15.61
Status
unaffected
Version <=
5.18.*
Version
5.18.18
Status
unaffected
Version <=
5.19.*
Version
5.19.2
Status
unaffected
Version <=
*
Version
6.0
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.147 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|