CVE-2022-50704
Unknown Unknown - Not Provided
Use-After-Free in Linux USB Gadget Config Switch Causes Kernel Panic

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix use-after-free during usb config switch In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free). The gadget drivers sometimes need to be unloaded regardless of the hardware's behavior. Analysis as follows: ======================================================================= (1) write /config/usb_gadget/g1/UDC "none" gether_disconnect+0x2c/0x1f8 rndis_disable+0x4c/0x74 composite_disconnect+0x74/0xb0 configfs_composite_disconnect+0x60/0x7c usb_gadget_disconnect+0x70/0x124 usb_gadget_unregister_driver+0xc8/0x1d8 gadget_dev_desc_UDC_store+0xec/0x1e4 (2) rm /config/usb_gadget/g1/configs/b.1/f1 rndis_deregister+0x28/0x54 rndis_free+0x44/0x7c usb_put_function+0x14/0x1c config_usb_cfg_unlink+0xc4/0xe0 configfs_unlink+0x124/0x1c8 vfs_unlink+0x114/0x1dc (3) rmdir /config/usb_gadget/g1/functions/rndis.gs4 panic+0x1fc/0x3d0 do_page_fault+0xa8/0x46c do_mem_abort+0x3c/0xac el1_sync_handler+0x40/0x78 0xffffff801138f880 rndis_close+0x28/0x34 eth_stop+0x74/0x110 dev_close_many+0x48/0x194 rollback_registered_many+0x118/0x814 unregister_netdev+0x20/0x30 gether_cleanup+0x1c/0x38 rndis_attr_release+0xc/0x14 kref_put+0x74/0xb8 configfs_rmdir+0x314/0x374 If gadget->ops->pullup() return an error, function rndis_close() will be called, then it will causes a use-after-free problem. =======================================================================
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2022-50704
EUVD
EUVD-2025-205170
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the Linux kernel's USB gadget subsystem. It occurs during the process of switching USB configurations from rndis to another configuration. If the hardware does not support the pullup callback or encounters a rare fault causing the pullup callback to fail, it can lead to a system panic due to use-after-free. Specifically, when the pullup callback returns an error, the function rndis_close() is called, which triggers the use-after-free problem.


How can this vulnerability impact me? :

This vulnerability can cause a system panic (crash) in the Linux kernel when switching USB configurations under certain hardware conditions. This can lead to denial of service, making the system unstable or unavailable until rebooted or fixed.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves monitoring for system panics or crashes related to USB gadget configuration switches, especially when switching from rndis to other configurations. Specific commands that interact with the USB gadget configfs interface, such as writing "none" to /config/usb_gadget/g1/UDC, removing /config/usb_gadget/g1/configs/b.1/f1, or removing the directory /config/usb_gadget/g1/functions/rndis.gs4, may trigger the issue if the system is vulnerable. Monitoring kernel logs (e.g., using dmesg) for panic messages related to usb_gadget_disconnect or rndis_close functions can also help detect the problem.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding switching USB gadget configurations from rndis to other configurations on affected systems until a patch is applied. If possible, do not unload gadget drivers or perform operations that trigger the pullup callback failure. Applying the official Linux kernel update that fixes the use-after-free during USB config switch is the recommended long-term mitigation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart