CVE-2022-49082: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove() The function mpt3sas_transport_port_remove() called in _scsih_expander_node_remove() frees the port field of the sas_expander structure, leading to the following use-after-free splat from KASAN when the ioc_info() call following that function is executed (e.g. when doing rmmod of the driver module): [ 3479.371167] ================================================================== [ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] <TASK> [ 3479.413875] dump_stack_lvl+0x45/0x59 [ 3479.417582] print_address_description.constprop.0+0x1f/0x120 [ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.429469] kasan_report.cold+0x83/0xdf [ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40 [ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? down_write+0xde/0x150 [ 3479.470746] ? up_write+0x14d/0x460 [ 3479.475840] ? kernfs_find_ns+0x137/0x310 [ 3479.481438] pci_device_remove+0x65/0x110 [ 3479.487013] __device_release_driver+0x316/0x680 [ 3479.493180] driver_detach+0x1ec/0x2d0 [ 3479.498499] bus_remove_driver+0xe7/0x2d0 [ 3479.504081] pci_unregister_driver+0x26/0x250 [ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas] [ 3479.516144] __x64_sys_delete_module+0x2fd/0x510 [ 3479.522315] ? free_module+0xaa0/0xaa0 [ 3479.527593] ? __cond_resched+0x1c/0x90 [ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70 [ 3479.546161] ? trace_hardirqs_on+0x1c/0x110 [ 3479.551828] do_syscall_64+0x35/0x80 [ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ================================================================== Fix this by introducing the local variable port_id to store the port ID value before executing mpt3sas_transport_port_remove(). This local variable is then used in the call to ioc_info() instead of dereferencing the freed port structure.
AI Analysis
Technical Summary
CVE-2022-49082 is a high-severity use-after-free vulnerability in the Linux kernel's mpt3sas driver, which manages SAS (Serial Attached SCSI) storage devices. The flaw occurs in the function _scsih_expander_node_remove(), where the port field of the sas_expander structure is freed by a call to mpt3sas_transport_port_remove(). Subsequently, the code attempts to access this freed memory during an ioc_info() call, such as when the driver module is removed (e.g., via rmmod). This use-after-free is detected by Kernel Address Sanitizer (KASAN) as an invalid memory read, which can lead to kernel crashes or potentially allow an attacker to execute arbitrary code with kernel privileges. The root cause is improper handling of the port pointer lifecycle, which was fixed by introducing a local variable to store the port ID before freeing the port structure, ensuring no dereferencing of freed memory occurs. The vulnerability affects Linux kernel versions containing the specified commit hashes and is classified under CWE-416 (Use After Free). The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring local privileges and no user interaction. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to enterprises and data centers relying on Linux servers with SAS storage controllers using the mpt3sas driver. Exploitation could lead to kernel crashes causing denial of service or privilege escalation allowing attackers to gain full control over affected systems. This could compromise sensitive data confidentiality and integrity, disrupt critical business operations, and impact availability of services. Organizations running Linux-based infrastructure in sectors such as finance, healthcare, telecommunications, and government are particularly at risk due to the critical nature of their data and services. The vulnerability requires local access with low complexity, so insider threats or attackers who have gained limited access could leverage this flaw to escalate privileges. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed and patched. The impact is heightened in environments where kernel module management and SAS storage devices are common, which includes many European enterprise IT environments.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that fix CVE-2022-49082. Since the fix involves changes to the mpt3sas driver code, updating to a patched kernel version is essential. Organizations should: 1) Identify all Linux systems using the mpt3sas driver, particularly those with SAS storage hardware. 2) Schedule and perform kernel updates during maintenance windows to minimize disruption. 3) Implement strict access controls to limit local user privileges and reduce the risk of exploitation by untrusted users. 4) Monitor kernel logs and system behavior for signs of use-after-free or memory corruption issues. 5) Employ kernel hardening techniques such as KASAN or other memory safety tools in testing environments to detect similar issues proactively. 6) Restrict module loading/unloading permissions to trusted administrators only, reducing the attack surface related to module removal operations. 7) Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation or system crashes. These steps go beyond generic advice by focusing on the specific driver and kernel module management context of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49082: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove() The function mpt3sas_transport_port_remove() called in _scsih_expander_node_remove() frees the port field of the sas_expander structure, leading to the following use-after-free splat from KASAN when the ioc_info() call following that function is executed (e.g. when doing rmmod of the driver module): [ 3479.371167] ================================================================== [ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] <TASK> [ 3479.413875] dump_stack_lvl+0x45/0x59 [ 3479.417582] print_address_description.constprop.0+0x1f/0x120 [ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.429469] kasan_report.cold+0x83/0xdf [ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40 [ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? down_write+0xde/0x150 [ 3479.470746] ? up_write+0x14d/0x460 [ 3479.475840] ? kernfs_find_ns+0x137/0x310 [ 3479.481438] pci_device_remove+0x65/0x110 [ 3479.487013] __device_release_driver+0x316/0x680 [ 3479.493180] driver_detach+0x1ec/0x2d0 [ 3479.498499] bus_remove_driver+0xe7/0x2d0 [ 3479.504081] pci_unregister_driver+0x26/0x250 [ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas] [ 3479.516144] __x64_sys_delete_module+0x2fd/0x510 [ 3479.522315] ? free_module+0xaa0/0xaa0 [ 3479.527593] ? __cond_resched+0x1c/0x90 [ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70 [ 3479.546161] ? trace_hardirqs_on+0x1c/0x110 [ 3479.551828] do_syscall_64+0x35/0x80 [ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ================================================================== Fix this by introducing the local variable port_id to store the port ID value before executing mpt3sas_transport_port_remove(). This local variable is then used in the call to ioc_info() instead of dereferencing the freed port structure.
AI-Powered Analysis
Technical Analysis
CVE-2022-49082 is a high-severity use-after-free vulnerability in the Linux kernel's mpt3sas driver, which manages SAS (Serial Attached SCSI) storage devices. The flaw occurs in the function _scsih_expander_node_remove(), where the port field of the sas_expander structure is freed by a call to mpt3sas_transport_port_remove(). Subsequently, the code attempts to access this freed memory during an ioc_info() call, such as when the driver module is removed (e.g., via rmmod). This use-after-free is detected by Kernel Address Sanitizer (KASAN) as an invalid memory read, which can lead to kernel crashes or potentially allow an attacker to execute arbitrary code with kernel privileges. The root cause is improper handling of the port pointer lifecycle, which was fixed by introducing a local variable to store the port ID before freeing the port structure, ensuring no dereferencing of freed memory occurs. The vulnerability affects Linux kernel versions containing the specified commit hashes and is classified under CWE-416 (Use After Free). The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring local privileges and no user interaction. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to enterprises and data centers relying on Linux servers with SAS storage controllers using the mpt3sas driver. Exploitation could lead to kernel crashes causing denial of service or privilege escalation allowing attackers to gain full control over affected systems. This could compromise sensitive data confidentiality and integrity, disrupt critical business operations, and impact availability of services. Organizations running Linux-based infrastructure in sectors such as finance, healthcare, telecommunications, and government are particularly at risk due to the critical nature of their data and services. The vulnerability requires local access with low complexity, so insider threats or attackers who have gained limited access could leverage this flaw to escalate privileges. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed and patched. The impact is heightened in environments where kernel module management and SAS storage devices are common, which includes many European enterprise IT environments.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that fix CVE-2022-49082. Since the fix involves changes to the mpt3sas driver code, updating to a patched kernel version is essential. Organizations should: 1) Identify all Linux systems using the mpt3sas driver, particularly those with SAS storage hardware. 2) Schedule and perform kernel updates during maintenance windows to minimize disruption. 3) Implement strict access controls to limit local user privileges and reduce the risk of exploitation by untrusted users. 4) Monitor kernel logs and system behavior for signs of use-after-free or memory corruption issues. 5) Employ kernel hardening techniques such as KASAN or other memory safety tools in testing environments to detect similar issues proactively. 6) Restrict module loading/unloading permissions to trusted administrators only, reducing the attack surface related to module removal operations. 7) Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation or system crashes. These steps go beyond generic advice by focusing on the specific driver and kernel module management context of this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.247Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6ad8
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/3/2025, 3:27:07 AM
Last updated: 8/8/2025, 10:31:10 PM
Views: 16
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.