CVE-2022-50421
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-12-11
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.18 (inc) to 5.19.17 (exc) |
| linux | linux_kernel | From 6.0 (inc) to 6.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Linux kernel involves the rpmsg driver where the default endpoint is destroyed twice due to improper handling in the code. Specifically, the default endpoint should only be released in rpmsg_dev_remove(), but it is also destroyed in rpmsg_chrdev_eptdev_destroy(), causing a double destroy issue. This leads to a refcount underflow and a use-after-free warning, which can be triggered by stopping remoteproc before closing the /dev/rpmsgX device.
How can this vulnerability impact me? :
The vulnerability can cause a use-after-free condition in the Linux kernel's rpmsg driver, which may lead to system instability, crashes, or unexpected behavior when managing remote processor messaging endpoints. This could potentially be exploited to cause denial of service or other unintended effects on systems using this driver.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing warning messages related to refcount underflow and use-after-free in the system logs. Specifically, look for warnings such as 'refcount_t: underflow; use-after-free' and call traces involving 'refcount_warn_saturate', 'virtio_rpmsg_destroy_ept', and 'rpmsg_dev_remove'. You can check the kernel logs using commands like 'dmesg | grep refcount' or 'journalctl -k | grep refcount' to find these warnings.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid stopping the remoteproc service before closing the /dev/rpmsgX device, as the issue is reproducible by stopping remoteproc before closing the device. Ensure that the system is updated with the patched Linux kernel version that resolves the double destroy of the default endpoint in rpmsg. Monitoring and applying kernel updates that fix this issue is recommended.