CVE-2022-50421
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-12-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rpmsg: char: Avoid double destroy of default endpoint The rpmsg_dev_remove() in rpmsg_core is the place for releasing this default endpoint. So need to avoid destroying the default endpoint in rpmsg_chrdev_eptdev_destroy(), this should be the same as rpmsg_eptdev_release(). Otherwise there will be double destroy issue that ept->refcount report warning: refcount_t: underflow; use-after-free. Call trace: refcount_warn_saturate+0xf8/0x150 virtio_rpmsg_destroy_ept+0xd4/0xec rpmsg_dev_remove+0x60/0x70 The issue can be reproduced by stopping remoteproc before closing the /dev/rpmsgX.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-12-11
Generated
2026-06-16
AI Q&A
2025-10-01
EPSS Evaluated
2026-06-15
NVD
CVE-2022-50421
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.18 (inc) to 5.19.17 (exc)
linux linux_kernel From 6.0 (inc) to 6.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves the rpmsg driver where the default endpoint is destroyed twice due to improper handling in the code. Specifically, the default endpoint should only be released in rpmsg_dev_remove(), but it is also destroyed in rpmsg_chrdev_eptdev_destroy(), causing a double destroy issue. This leads to a refcount underflow and a use-after-free warning, which can be triggered by stopping remoteproc before closing the /dev/rpmsgX device.

Impact Analysis

The vulnerability can cause a use-after-free condition in the Linux kernel's rpmsg driver, which may lead to system instability, crashes, or unexpected behavior when managing remote processor messaging endpoints. This could potentially be exploited to cause denial of service or other unintended effects on systems using this driver.

Detection Guidance

This vulnerability can be detected by observing warning messages related to refcount underflow and use-after-free in the system logs. Specifically, look for warnings such as 'refcount_t: underflow; use-after-free' and call traces involving 'refcount_warn_saturate', 'virtio_rpmsg_destroy_ept', and 'rpmsg_dev_remove'. You can check the kernel logs using commands like 'dmesg | grep refcount' or 'journalctl -k | grep refcount' to find these warnings.

Mitigation Strategies

To mitigate this vulnerability, avoid stopping the remoteproc service before closing the /dev/rpmsgX device, as the issue is reproducible by stopping remoteproc before closing the device. Ensure that the system is updated with the patched Linux kernel version that resolves the double destroy of the default endpoint in rpmsg. Monitoring and applying kernel updates that fix this issue is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50421. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart