CVE-2022-49287: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tpm: fix reference counting for struct tpm_chip The following sequence of operations results in a refcount warning: 1. Open device /dev/tpmrm. 2. Remove module tpm_tis_spi. 3. Write a TPM command to the file descriptor opened at step 1. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4 refcount_t: addition on 0; use-after-free. Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4 brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835] CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2 Hardware name: BCM2711 [<c0410c3c>] (unwind_backtrace) from [<c040b580>] (show_stack+0x10/0x14) [<c040b580>] (show_stack) from [<c1092174>] (dump_stack+0xc4/0xd8) [<c1092174>] (dump_stack) from [<c0445a30>] (__warn+0x104/0x108) [<c0445a30>] (__warn) from [<c0445aa8>] (warn_slowpath_fmt+0x74/0xb8) [<c0445aa8>] (warn_slowpath_fmt) from [<c08435d0>] (kobject_get+0xa0/0xa4) [<c08435d0>] (kobject_get) from [<bf0a715c>] (tpm_try_get_ops+0x14/0x54 [tpm]) [<bf0a715c>] (tpm_try_get_ops [tpm]) from [<bf0a7d6c>] (tpm_common_write+0x38/0x60 [tpm]) [<bf0a7d6c>] (tpm_common_write [tpm]) from [<c05a7ac0>] (vfs_write+0xc4/0x3c0) [<c05a7ac0>] (vfs_write) from [<c05a7ee4>] (ksys_write+0x58/0xcc) [<c05a7ee4>] (ksys_write) from [<c04001a0>] (ret_fast_syscall+0x0/0x4c) Exception stack(0xc226bfa8 to 0xc226bff0) bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000 bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684 bfe0: 0000006c beafe648 0001056c b6eb6944 ---[ end trace d4b8409def9b8b1f ]--- The reason for this warning is the attempt to get the chip->dev reference in tpm_common_write() although the reference counter is already zero. Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the extra reference used to prevent a premature zero counter is never taken, because the required TPM_CHIP_FLAG_TPM2 flag is never set. Fix this by moving the TPM 2 character device handling from tpm_chip_alloc() to tpm_add_char_device() which is called at a later point in time when the flag has been set in case of TPM2. Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>") already introduced function tpm_devs_release() to release the extra reference but did not implement the required put on chip->devs that results in the call of this function. Fix this by putting chip->devs in tpm_chip_unregister(). Finally move the new implementation for the TPM 2 handling into a new function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the good case and error cases.
AI Analysis
Technical Summary
CVE-2022-49287 is a high-severity vulnerability in the Linux kernel's TPM (Trusted Platform Module) subsystem, specifically related to reference counting for the struct tpm_chip. The flaw arises from improper management of reference counts when interacting with TPM devices, particularly TPM 2.0 character devices. The vulnerability manifests when a user opens the /dev/tpmrm device, removes the tpm_tis_spi kernel module, and then writes a TPM command to the previously opened file descriptor. This sequence triggers a use-after-free condition due to an attempt to increment a reference count that has already reached zero, leading to a refcount warning and potential kernel memory corruption. The root cause is that since commit 8979b02aaf1d, an extra reference intended to prevent premature zeroing of the reference counter is never taken because the TPM_CHIP_FLAG_TPM2 flag is not set at the correct time. The fix involves moving TPM 2 character device handling from tpm_chip_alloc() to tpm_add_char_device(), which is invoked after the TPM2 flag is set, and ensuring proper release of references in tpm_chip_unregister(). This vulnerability is classified under CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, indicating high severity. Exploitation requires local privileges (low attack vector), low complexity, and privileges to interact with TPM devices, but no user interaction. While no known exploits are currently reported in the wild, the vulnerability could allow an attacker with local access to cause kernel crashes, escalate privileges, or execute arbitrary code by exploiting the use-after-free condition in the TPM driver.
Potential Impact
For European organizations, this vulnerability poses significant risk primarily to systems running Linux kernels with TPM 2.0 support, especially those using TPM for hardware-based security functions such as secure boot, disk encryption, or cryptographic key storage. Exploitation could lead to kernel crashes (denial of service), privilege escalation, or arbitrary code execution at the kernel level, undermining system integrity and confidentiality. This is particularly critical for sectors relying on TPM for compliance and security assurance, including finance, healthcare, government, and critical infrastructure. The vulnerability could compromise the trustworthiness of TPM-based security mechanisms, potentially exposing sensitive cryptographic keys or allowing attackers to bypass security controls. Given the widespread use of Linux in servers, embedded devices, and cloud infrastructure across Europe, the impact could be broad, affecting enterprise servers, cloud providers, and IoT devices. The requirement for local privileges limits remote exploitation but does not eliminate risk from insider threats or attackers who gain initial access through other means.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the patch for CVE-2022-49287 as soon as vendor updates are available. Until patches are applied, organizations should restrict access to TPM devices (/dev/tpmrm and related interfaces) to trusted users only, enforce strict access controls, and monitor for suspicious module unload/load activities. Employing kernel lockdown features and mandatory access control frameworks (e.g., SELinux, AppArmor) can help limit the ability of unprivileged users to interact with TPM devices or unload kernel modules. Additionally, organizations should audit systems for the presence of vulnerable kernel versions and TPM 2.0 usage, and consider isolating critical systems to reduce the risk of local exploitation. For embedded or IoT devices, coordinate with vendors to obtain patched firmware or kernel updates. Implementing comprehensive endpoint detection and response (EDR) solutions can help detect anomalous behavior indicative of exploitation attempts. Finally, maintain robust incident response plans to quickly address potential exploitation scenarios involving kernel-level vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-49287: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tpm: fix reference counting for struct tpm_chip The following sequence of operations results in a refcount warning: 1. Open device /dev/tpmrm. 2. Remove module tpm_tis_spi. 3. Write a TPM command to the file descriptor opened at step 1. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4 refcount_t: addition on 0; use-after-free. Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4 brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835] CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2 Hardware name: BCM2711 [<c0410c3c>] (unwind_backtrace) from [<c040b580>] (show_stack+0x10/0x14) [<c040b580>] (show_stack) from [<c1092174>] (dump_stack+0xc4/0xd8) [<c1092174>] (dump_stack) from [<c0445a30>] (__warn+0x104/0x108) [<c0445a30>] (__warn) from [<c0445aa8>] (warn_slowpath_fmt+0x74/0xb8) [<c0445aa8>] (warn_slowpath_fmt) from [<c08435d0>] (kobject_get+0xa0/0xa4) [<c08435d0>] (kobject_get) from [<bf0a715c>] (tpm_try_get_ops+0x14/0x54 [tpm]) [<bf0a715c>] (tpm_try_get_ops [tpm]) from [<bf0a7d6c>] (tpm_common_write+0x38/0x60 [tpm]) [<bf0a7d6c>] (tpm_common_write [tpm]) from [<c05a7ac0>] (vfs_write+0xc4/0x3c0) [<c05a7ac0>] (vfs_write) from [<c05a7ee4>] (ksys_write+0x58/0xcc) [<c05a7ee4>] (ksys_write) from [<c04001a0>] (ret_fast_syscall+0x0/0x4c) Exception stack(0xc226bfa8 to 0xc226bff0) bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000 bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684 bfe0: 0000006c beafe648 0001056c b6eb6944 ---[ end trace d4b8409def9b8b1f ]--- The reason for this warning is the attempt to get the chip->dev reference in tpm_common_write() although the reference counter is already zero. Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the extra reference used to prevent a premature zero counter is never taken, because the required TPM_CHIP_FLAG_TPM2 flag is never set. Fix this by moving the TPM 2 character device handling from tpm_chip_alloc() to tpm_add_char_device() which is called at a later point in time when the flag has been set in case of TPM2. Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>") already introduced function tpm_devs_release() to release the extra reference but did not implement the required put on chip->devs that results in the call of this function. Fix this by putting chip->devs in tpm_chip_unregister(). Finally move the new implementation for the TPM 2 handling into a new function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the good case and error cases.
AI-Powered Analysis
Technical Analysis
CVE-2022-49287 is a high-severity vulnerability in the Linux kernel's TPM (Trusted Platform Module) subsystem, specifically related to reference counting for the struct tpm_chip. The flaw arises from improper management of reference counts when interacting with TPM devices, particularly TPM 2.0 character devices. The vulnerability manifests when a user opens the /dev/tpmrm device, removes the tpm_tis_spi kernel module, and then writes a TPM command to the previously opened file descriptor. This sequence triggers a use-after-free condition due to an attempt to increment a reference count that has already reached zero, leading to a refcount warning and potential kernel memory corruption. The root cause is that since commit 8979b02aaf1d, an extra reference intended to prevent premature zeroing of the reference counter is never taken because the TPM_CHIP_FLAG_TPM2 flag is not set at the correct time. The fix involves moving TPM 2 character device handling from tpm_chip_alloc() to tpm_add_char_device(), which is invoked after the TPM2 flag is set, and ensuring proper release of references in tpm_chip_unregister(). This vulnerability is classified under CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, indicating high severity. Exploitation requires local privileges (low attack vector), low complexity, and privileges to interact with TPM devices, but no user interaction. While no known exploits are currently reported in the wild, the vulnerability could allow an attacker with local access to cause kernel crashes, escalate privileges, or execute arbitrary code by exploiting the use-after-free condition in the TPM driver.
Potential Impact
For European organizations, this vulnerability poses significant risk primarily to systems running Linux kernels with TPM 2.0 support, especially those using TPM for hardware-based security functions such as secure boot, disk encryption, or cryptographic key storage. Exploitation could lead to kernel crashes (denial of service), privilege escalation, or arbitrary code execution at the kernel level, undermining system integrity and confidentiality. This is particularly critical for sectors relying on TPM for compliance and security assurance, including finance, healthcare, government, and critical infrastructure. The vulnerability could compromise the trustworthiness of TPM-based security mechanisms, potentially exposing sensitive cryptographic keys or allowing attackers to bypass security controls. Given the widespread use of Linux in servers, embedded devices, and cloud infrastructure across Europe, the impact could be broad, affecting enterprise servers, cloud providers, and IoT devices. The requirement for local privileges limits remote exploitation but does not eliminate risk from insider threats or attackers who gain initial access through other means.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the patch for CVE-2022-49287 as soon as vendor updates are available. Until patches are applied, organizations should restrict access to TPM devices (/dev/tpmrm and related interfaces) to trusted users only, enforce strict access controls, and monitor for suspicious module unload/load activities. Employing kernel lockdown features and mandatory access control frameworks (e.g., SELinux, AppArmor) can help limit the ability of unprivileged users to interact with TPM devices or unload kernel modules. Additionally, organizations should audit systems for the presence of vulnerable kernel versions and TPM 2.0 usage, and consider isolating critical systems to reduce the risk of local exploitation. For embedded or IoT devices, coordinate with vendors to obtain patched firmware or kernel updates. Implementing comprehensive endpoint detection and response (EDR) solutions can help detect anomalous behavior indicative of exploitation attempts. Finally, maintain robust incident response plans to quickly address potential exploitation scenarios involving kernel-level vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.302Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe553b
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 7/3/2025, 2:41:22 AM
Last updated: 8/18/2025, 6:35:47 AM
Views: 13
Related Threats
CVE-2025-43733: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
LowCVE-2025-43731: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-7693: CWE-20: Improper Input Validation in Rockwell Automation PLC - Micro850 L50E
CriticalCVE-2025-55293: CWE-287: Improper Authentication in meshtastic firmware
CriticalCVE-2025-55300: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in komari-monitor komari
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.