Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50220

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
18/06/2025
Last modified:
19/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usbnet: Fix linkwatch use-after-free on disconnect<br /> <br /> usbnet uses the work usbnet_deferred_kevent() to perform tasks which may<br /> sleep. On disconnect, completion of the work was originally awaited in<br /> -&gt;ndo_stop(). But in 2003, that was moved to -&gt;disconnect() by historic<br /> commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock":<br /> <br /> https://git.kernel.org/tglx/history/c/0f138bbfd83c<br /> <br /> The change was made because back then, the kernel&amp;#39;s workqueue<br /> implementation did not allow waiting for a single work. One had to wait<br /> for completion of *all* work by calling flush_scheduled_work(), and that<br /> could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex<br /> held in -&gt;ndo_stop().<br /> <br /> The commit solved one problem but created another: It causes a<br /> use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c,<br /> ax88179_178a.c, ch9200.c and smsc75xx.c:<br /> <br /> * If the drivers receive a link change interrupt immediately before<br /> disconnect, they raise EVENT_LINK_RESET in their (non-sleepable)<br /> -&gt;status() callback and schedule usbnet_deferred_kevent().<br /> * usbnet_deferred_kevent() invokes the driver&amp;#39;s -&gt;link_reset() callback,<br /> which calls netif_carrier_{on,off}().<br /> * That in turn schedules the work linkwatch_event().<br /> <br /> Because usbnet_deferred_kevent() is awaited after unregister_netdev(),<br /> netif_carrier_{on,off}() may operate on an unregistered netdev and<br /> linkwatch_event() may run after free_netdev(), causing a use-after-free.<br /> <br /> In 2010, usbnet was changed to only wait for a single instance of<br /> usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf<br /> ("drivers/net: don&amp;#39;t use flush_scheduled_work()").<br /> <br /> Unfortunately the commit neglected to move the wait back to<br /> -&gt;ndo_stop(). Rectify that omission at long last.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.38 (including) 4.9.326 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.10 (including) 4.14.291 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.256 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.211 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.137 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.61 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.18.18 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19 (including) 5.19.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools