CVE-2022-49059: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: add flush_workqueue to prevent uaf Our detector found a concurrent use-after-free bug when detaching an NCI device. The main reason for this bug is the unexpected scheduling between the used delayed mechanism (timer and workqueue). The race can be demonstrated below: Thread-1 Thread-2 | nci_dev_up() | nci_open_device() | __nci_request(nci_reset_req) | nci_send_cmd | queue_work(cmd_work) nci_unregister_device() | nci_close_device() | ... del_timer_sync(cmd_timer)[1] | ... | Worker nci_free_device() | nci_cmd_work() kfree(ndev)[3] | mod_timer(cmd_timer)[2] In short, the cleanup routine thought that the cmd_timer has already been detached by [1] but the mod_timer can re-attach the timer [2], even it is already released [3], resulting in UAF. This UAF is easy to trigger, crash trace by POC is like below [ 66.703713] ================================================================== [ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490 [ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33 [ 66.703974] [ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5 [ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work [ 66.703974] Call Trace: [ 66.703974] <TASK> [ 66.703974] dump_stack_lvl+0x57/0x7d [ 66.703974] print_report.cold+0x5e/0x5db [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] kasan_report+0xbe/0x1c0 [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] enqueue_timer+0x448/0x490 [ 66.703974] __mod_timer+0x5e6/0xb80 [ 66.703974] ? mark_held_locks+0x9e/0xe0 [ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410 [ 66.703974] ? queue_work_on+0x61/0x80 [ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130 [ 66.703974] process_one_work+0x8bb/0x1510 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230 [ 66.703974] ? rwlock_bug.part.0+0x90/0x90 [ 66.703974] ? _raw_spin_lock_irq+0x41/0x50 [ 66.703974] worker_thread+0x575/0x1190 [ 66.703974] ? process_one_work+0x1510/0x1510 [ 66.703974] kthread+0x2a0/0x340 [ 66.703974] ? kthread_complete_and_exit+0x20/0x20 [ 66.703974] ret_from_fork+0x22/0x30 [ 66.703974] </TASK> [ 66.703974] [ 66.703974] Allocated by task 267: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] __kasan_kmalloc+0x81/0xa0 [ 66.703974] nci_allocate_device+0xd3/0x390 [ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0 [ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd [ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0 [ 66.703974] tty_ioctl+0x764/0x1310 [ 66.703974] __x64_sys_ioctl+0x122/0x190 [ 66.703974] do_syscall_64+0x3b/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 66.703974] [ 66.703974] Freed by task 406: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] kasan_set_track+0x21/0x30 [ 66.703974] kasan_set_free_info+0x20/0x30 [ 66.703974] __kasan_slab_free+0x108/0x170 [ 66.703974] kfree+0xb0/0x330 [ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0 [ 66.703974] nci_uart_tty_close+0xdf/0x180 [ 66.703974] tty_ldisc_kill+0x73/0x110 [ 66.703974] tty_ldisc_hangup+0x281/0x5b0 [ 66.703974] __tty_hangup.part.0+0x431/0x890 [ 66.703974] tty_release+0x3a8/0xc80 [ 66.703974] __fput+0x1f0/0x8c0 [ 66.703974] task_work_run+0xc9/0x170 [ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0 [ 66.703974] syscall_exit_to_user_mode+0x19/0x50 [ 66.703974] do_syscall_64+0x48/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0x ---truncated---
AI Analysis
Technical Summary
CVE-2022-49059 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's NFC (Near Field Communication) subsystem, specifically within the NCI (NFC Controller Interface) device handling code. The flaw arises due to a race condition between concurrent threads managing the lifecycle of an NCI device. When detaching an NCI device, the cleanup routine calls del_timer_sync() to remove a timer (cmd_timer), assuming it has been fully detached. However, a worker thread can concurrently re-arm this timer via mod_timer() even after the device memory has been freed (kfree(ndev)), leading to a use-after-free condition. This race is triggered by the interplay between timer and workqueue mechanisms, where the delayed execution of workqueue tasks causes unexpected scheduling. The vulnerability is demonstrated by kernel crash logs showing KASAN (Kernel Address Sanitizer) detecting a write to freed memory during enqueue_timer operations. The flaw affects Linux kernel versions including the commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and likely others in the 5.x and 6.x series. Exploitation requires local privileges (PR:L) but no user interaction (UI:N), and the attack vector is local (AV:L). The impact includes full compromise of confidentiality, integrity, and availability of the affected system due to potential arbitrary code execution or kernel crashes. No known exploits are currently reported in the wild, but the vulnerability is easy to trigger given the race condition nature. The flaw is categorized under CWE-416 (Use After Free). The Linux vendor has resolved this issue by adding flush_workqueue calls to ensure proper synchronization and prevent the race condition. The CVSS v3.1 base score is 7.8, reflecting high severity with high impact on confidentiality, integrity, and availability.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based systems with NFC capabilities, such as embedded devices, IoT gateways, industrial control systems, and mobile devices running Linux kernels vulnerable to this flaw. Exploitation can lead to kernel crashes causing denial of service or privilege escalation to root, enabling attackers to gain full control over affected systems. This can compromise sensitive data, disrupt critical services, and potentially serve as a foothold for lateral movement within networks. Organizations in sectors like manufacturing, healthcare, transportation, and finance that deploy Linux-based infrastructure with NFC components are particularly at risk. The local attack vector means that attackers need some level of access, but insider threats or compromised user accounts could leverage this vulnerability to escalate privileges. The lack of user interaction requirement increases the risk of automated exploitation once local access is obtained. Given the widespread use of Linux in European IT environments and the increasing adoption of NFC technologies, the vulnerability could impact a broad range of systems if unpatched.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2022-49059 is critical. Organizations should track kernel updates from their Linux distribution vendors and deploy them promptly. 2. For environments where immediate patching is not feasible, consider disabling NFC functionality or unloading the NFC kernel modules (e.g., nci, nfcmrvl) to eliminate the attack surface. 3. Implement strict access controls and monitoring on systems with NFC capabilities to prevent unauthorized local access, including limiting user privileges and employing endpoint detection and response (EDR) solutions to detect anomalous kernel activity. 4. Use kernel hardening features such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and SELinux/AppArmor policies to reduce exploitation likelihood. 5. Conduct thorough audits of systems with NFC hardware to identify vulnerable kernel versions and NFC usage. 6. Employ network segmentation and zero-trust principles to limit lateral movement from compromised hosts. 7. Maintain comprehensive logging and alerting for kernel crashes or suspicious workqueue/timer activity that could indicate exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2022-49059: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: add flush_workqueue to prevent uaf Our detector found a concurrent use-after-free bug when detaching an NCI device. The main reason for this bug is the unexpected scheduling between the used delayed mechanism (timer and workqueue). The race can be demonstrated below: Thread-1 Thread-2 | nci_dev_up() | nci_open_device() | __nci_request(nci_reset_req) | nci_send_cmd | queue_work(cmd_work) nci_unregister_device() | nci_close_device() | ... del_timer_sync(cmd_timer)[1] | ... | Worker nci_free_device() | nci_cmd_work() kfree(ndev)[3] | mod_timer(cmd_timer)[2] In short, the cleanup routine thought that the cmd_timer has already been detached by [1] but the mod_timer can re-attach the timer [2], even it is already released [3], resulting in UAF. This UAF is easy to trigger, crash trace by POC is like below [ 66.703713] ================================================================== [ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490 [ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33 [ 66.703974] [ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5 [ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work [ 66.703974] Call Trace: [ 66.703974] <TASK> [ 66.703974] dump_stack_lvl+0x57/0x7d [ 66.703974] print_report.cold+0x5e/0x5db [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] kasan_report+0xbe/0x1c0 [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] enqueue_timer+0x448/0x490 [ 66.703974] __mod_timer+0x5e6/0xb80 [ 66.703974] ? mark_held_locks+0x9e/0xe0 [ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410 [ 66.703974] ? queue_work_on+0x61/0x80 [ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130 [ 66.703974] process_one_work+0x8bb/0x1510 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230 [ 66.703974] ? rwlock_bug.part.0+0x90/0x90 [ 66.703974] ? _raw_spin_lock_irq+0x41/0x50 [ 66.703974] worker_thread+0x575/0x1190 [ 66.703974] ? process_one_work+0x1510/0x1510 [ 66.703974] kthread+0x2a0/0x340 [ 66.703974] ? kthread_complete_and_exit+0x20/0x20 [ 66.703974] ret_from_fork+0x22/0x30 [ 66.703974] </TASK> [ 66.703974] [ 66.703974] Allocated by task 267: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] __kasan_kmalloc+0x81/0xa0 [ 66.703974] nci_allocate_device+0xd3/0x390 [ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0 [ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd [ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0 [ 66.703974] tty_ioctl+0x764/0x1310 [ 66.703974] __x64_sys_ioctl+0x122/0x190 [ 66.703974] do_syscall_64+0x3b/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 66.703974] [ 66.703974] Freed by task 406: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] kasan_set_track+0x21/0x30 [ 66.703974] kasan_set_free_info+0x20/0x30 [ 66.703974] __kasan_slab_free+0x108/0x170 [ 66.703974] kfree+0xb0/0x330 [ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0 [ 66.703974] nci_uart_tty_close+0xdf/0x180 [ 66.703974] tty_ldisc_kill+0x73/0x110 [ 66.703974] tty_ldisc_hangup+0x281/0x5b0 [ 66.703974] __tty_hangup.part.0+0x431/0x890 [ 66.703974] tty_release+0x3a8/0xc80 [ 66.703974] __fput+0x1f0/0x8c0 [ 66.703974] task_work_run+0xc9/0x170 [ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0 [ 66.703974] syscall_exit_to_user_mode+0x19/0x50 [ 66.703974] do_syscall_64+0x48/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0x ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49059 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's NFC (Near Field Communication) subsystem, specifically within the NCI (NFC Controller Interface) device handling code. The flaw arises due to a race condition between concurrent threads managing the lifecycle of an NCI device. When detaching an NCI device, the cleanup routine calls del_timer_sync() to remove a timer (cmd_timer), assuming it has been fully detached. However, a worker thread can concurrently re-arm this timer via mod_timer() even after the device memory has been freed (kfree(ndev)), leading to a use-after-free condition. This race is triggered by the interplay between timer and workqueue mechanisms, where the delayed execution of workqueue tasks causes unexpected scheduling. The vulnerability is demonstrated by kernel crash logs showing KASAN (Kernel Address Sanitizer) detecting a write to freed memory during enqueue_timer operations. The flaw affects Linux kernel versions including the commit 6a2968aaf50c7a22fced77a5e24aa636281efca8 and likely others in the 5.x and 6.x series. Exploitation requires local privileges (PR:L) but no user interaction (UI:N), and the attack vector is local (AV:L). The impact includes full compromise of confidentiality, integrity, and availability of the affected system due to potential arbitrary code execution or kernel crashes. No known exploits are currently reported in the wild, but the vulnerability is easy to trigger given the race condition nature. The flaw is categorized under CWE-416 (Use After Free). The Linux vendor has resolved this issue by adding flush_workqueue calls to ensure proper synchronization and prevent the race condition. The CVSS v3.1 base score is 7.8, reflecting high severity with high impact on confidentiality, integrity, and availability.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based systems with NFC capabilities, such as embedded devices, IoT gateways, industrial control systems, and mobile devices running Linux kernels vulnerable to this flaw. Exploitation can lead to kernel crashes causing denial of service or privilege escalation to root, enabling attackers to gain full control over affected systems. This can compromise sensitive data, disrupt critical services, and potentially serve as a foothold for lateral movement within networks. Organizations in sectors like manufacturing, healthcare, transportation, and finance that deploy Linux-based infrastructure with NFC components are particularly at risk. The local attack vector means that attackers need some level of access, but insider threats or compromised user accounts could leverage this vulnerability to escalate privileges. The lack of user interaction requirement increases the risk of automated exploitation once local access is obtained. Given the widespread use of Linux in European IT environments and the increasing adoption of NFC technologies, the vulnerability could impact a broad range of systems if unpatched.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2022-49059 is critical. Organizations should track kernel updates from their Linux distribution vendors and deploy them promptly. 2. For environments where immediate patching is not feasible, consider disabling NFC functionality or unloading the NFC kernel modules (e.g., nci, nfcmrvl) to eliminate the attack surface. 3. Implement strict access controls and monitoring on systems with NFC capabilities to prevent unauthorized local access, including limiting user privileges and employing endpoint detection and response (EDR) solutions to detect anomalous kernel activity. 4. Use kernel hardening features such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and SELinux/AppArmor policies to reduce exploitation likelihood. 5. Conduct thorough audits of systems with NFC hardware to identify vulnerable kernel versions and NFC usage. 6. Employ network segmentation and zero-trust principles to limit lateral movement from compromised hosts. 7. Maintain comprehensive logging and alerting for kernel crashes or suspicious workqueue/timer activity that could indicate exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.243Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6a1a
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/3/2025, 3:26:40 AM
Last updated: 8/7/2025, 10:54:42 AM
Views: 13
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.