CVE-2022-49196: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix use after free in remove_phb_dynamic() In remove_phb_dynamic() we use &phb->io_resource, after we've called device_unregister(&host_bridge->dev). But the unregister may have freed phb, because pcibios_free_controller_deferred() is the release function for the host_bridge. If there are no outstanding references when we call device_unregister() then phb will be freed out from under us. This has gone mainly unnoticed, but with slub_debug and page_poison enabled it can lead to a crash: PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: "drmgr" #0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc #1 [c0000000e4f075d0] oops_end at c000000000029608 #2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4 #3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8 #4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30 Data SLB Access [380] exception frame: R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100 R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9 R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000 R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000 R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003 R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005 R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0 R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8 R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800 R30: c00000004d1d2400 R31: c00000004d1d2540 NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474 CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003 CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3 DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2 [NIP : release_resource+56] [LR : release_resource+48] #5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable) #6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648 #7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io] #8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io] #9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c #10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504 #11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868 #12 [c0000000e4f07c70] new_sync_write at c00000000054339c #13 [c0000000e4f07d10] vfs_write at c000000000546624 #14 [c0000000e4f07d60] ksys_write at c0000000005469f4 #15 [c0000000e4f07db0] system_call_exception at c000000000030840 #16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168 To avoid it, we can take a reference to the host_bridge->dev until we're done using phb. Then when we drop the reference the phb will be freed.
AI Analysis
Technical Summary
CVE-2022-49196 is a high-severity use-after-free vulnerability identified in the Linux kernel specifically affecting the PowerPC pSeries architecture. The flaw exists in the remove_phb_dynamic() function, which handles the removal of PCI host bridges dynamically. The vulnerability arises because the function uses the pointer phb->io_resource after the device_unregister() call on host_bridge->dev. The device_unregister() function may free the phb structure if there are no outstanding references, as pcibios_free_controller_deferred() is the release function for the host_bridge device. This results in a use-after-free condition where the kernel attempts to access memory that has already been freed, leading to potential kernel crashes or undefined behavior. The issue is particularly observable when kernel debugging features like slub_debug and page_poison are enabled, which can trigger a crash due to invalid memory access. The vulnerability is rooted in improper reference counting and lifecycle management of kernel objects during device removal. The patch involves taking a reference to host_bridge->dev to ensure the phb structure remains valid until all operations complete, preventing premature freeing. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity with impacts on confidentiality, integrity, and availability. Exploitation requires local privileges (low privileges) but no user interaction, and the attack vector is local. No known exploits are reported in the wild as of now. The affected Linux kernel versions include specific commits identified by their hashes, indicating that this is a recent and targeted fix in the kernel source.
Potential Impact
For European organizations, the impact of CVE-2022-49196 can be significant, especially those relying on Linux systems running on PowerPC pSeries hardware, which is common in certain enterprise and industrial environments. The vulnerability can lead to kernel crashes, causing denial of service (DoS) conditions that disrupt critical services and operations. Additionally, because the vulnerability affects kernel memory management, there is a potential risk for privilege escalation or arbitrary code execution if an attacker can craft an exploit, thereby compromising system confidentiality and integrity. Organizations running virtualized environments or specialized hardware using affected Linux kernels may experience instability or downtime. The requirement for local privileges limits remote exploitation but insider threats or compromised accounts could leverage this vulnerability to escalate privileges or cause system outages. Given the reliance on Linux in European data centers, research institutions, and industrial control systems, the vulnerability poses a risk to operational continuity and data security.
Mitigation Recommendations
To mitigate CVE-2022-49196, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring that the fix involving proper reference counting in remove_phb_dynamic() is included. 2) For environments where immediate patching is not feasible, implement strict access controls to limit local user privileges and prevent untrusted users from executing code or commands that could trigger the vulnerability. 3) Enable kernel debugging and monitoring tools to detect anomalous kernel behavior or crashes that may indicate exploitation attempts. 4) Conduct thorough audits of systems running PowerPC pSeries hardware to identify affected kernel versions and plan for timely updates. 5) Use virtualization and containerization isolation techniques to limit the impact of potential kernel crashes. 6) Maintain robust endpoint security and insider threat detection to prevent unauthorized local access. 7) Collaborate with hardware and software vendors to ensure compatibility and support for patched kernel versions. These steps go beyond generic advice by focusing on architecture-specific considerations and operational controls tailored to the affected environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2022-49196: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix use after free in remove_phb_dynamic() In remove_phb_dynamic() we use &phb->io_resource, after we've called device_unregister(&host_bridge->dev). But the unregister may have freed phb, because pcibios_free_controller_deferred() is the release function for the host_bridge. If there are no outstanding references when we call device_unregister() then phb will be freed out from under us. This has gone mainly unnoticed, but with slub_debug and page_poison enabled it can lead to a crash: PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: "drmgr" #0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc #1 [c0000000e4f075d0] oops_end at c000000000029608 #2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4 #3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8 #4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30 Data SLB Access [380] exception frame: R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100 R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9 R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000 R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000 R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003 R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005 R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0 R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8 R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800 R30: c00000004d1d2400 R31: c00000004d1d2540 NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474 CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003 CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3 DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2 [NIP : release_resource+56] [LR : release_resource+48] #5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable) #6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648 #7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io] #8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io] #9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c #10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504 #11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868 #12 [c0000000e4f07c70] new_sync_write at c00000000054339c #13 [c0000000e4f07d10] vfs_write at c000000000546624 #14 [c0000000e4f07d60] ksys_write at c0000000005469f4 #15 [c0000000e4f07db0] system_call_exception at c000000000030840 #16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168 To avoid it, we can take a reference to the host_bridge->dev until we're done using phb. Then when we drop the reference the phb will be freed.
AI-Powered Analysis
Technical Analysis
CVE-2022-49196 is a high-severity use-after-free vulnerability identified in the Linux kernel specifically affecting the PowerPC pSeries architecture. The flaw exists in the remove_phb_dynamic() function, which handles the removal of PCI host bridges dynamically. The vulnerability arises because the function uses the pointer phb->io_resource after the device_unregister() call on host_bridge->dev. The device_unregister() function may free the phb structure if there are no outstanding references, as pcibios_free_controller_deferred() is the release function for the host_bridge device. This results in a use-after-free condition where the kernel attempts to access memory that has already been freed, leading to potential kernel crashes or undefined behavior. The issue is particularly observable when kernel debugging features like slub_debug and page_poison are enabled, which can trigger a crash due to invalid memory access. The vulnerability is rooted in improper reference counting and lifecycle management of kernel objects during device removal. The patch involves taking a reference to host_bridge->dev to ensure the phb structure remains valid until all operations complete, preventing premature freeing. The vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity with impacts on confidentiality, integrity, and availability. Exploitation requires local privileges (low privileges) but no user interaction, and the attack vector is local. No known exploits are reported in the wild as of now. The affected Linux kernel versions include specific commits identified by their hashes, indicating that this is a recent and targeted fix in the kernel source.
Potential Impact
For European organizations, the impact of CVE-2022-49196 can be significant, especially those relying on Linux systems running on PowerPC pSeries hardware, which is common in certain enterprise and industrial environments. The vulnerability can lead to kernel crashes, causing denial of service (DoS) conditions that disrupt critical services and operations. Additionally, because the vulnerability affects kernel memory management, there is a potential risk for privilege escalation or arbitrary code execution if an attacker can craft an exploit, thereby compromising system confidentiality and integrity. Organizations running virtualized environments or specialized hardware using affected Linux kernels may experience instability or downtime. The requirement for local privileges limits remote exploitation but insider threats or compromised accounts could leverage this vulnerability to escalate privileges or cause system outages. Given the reliance on Linux in European data centers, research institutions, and industrial control systems, the vulnerability poses a risk to operational continuity and data security.
Mitigation Recommendations
To mitigate CVE-2022-49196, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring that the fix involving proper reference counting in remove_phb_dynamic() is included. 2) For environments where immediate patching is not feasible, implement strict access controls to limit local user privileges and prevent untrusted users from executing code or commands that could trigger the vulnerability. 3) Enable kernel debugging and monitoring tools to detect anomalous kernel behavior or crashes that may indicate exploitation attempts. 4) Conduct thorough audits of systems running PowerPC pSeries hardware to identify affected kernel versions and plan for timely updates. 5) Use virtualization and containerization isolation techniques to limit the impact of potential kernel crashes. 6) Maintain robust endpoint security and insider threat detection to prevent unauthorized local access. 7) Collaborate with hardware and software vendors to ensure compatibility and support for patched kernel versions. These steps go beyond generic advice by focusing on architecture-specific considerations and operational controls tailored to the affected environments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.290Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd613
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 2:27:28 PM
Last updated: 8/13/2025, 6:51:01 AM
Views: 12
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.