CVE-2022-49686 is a vulnerability identified in the Linux kernel's USB gadget subsystem, specifically within the USB Video Class (UVC) gadget driver component. The flaw arises in the function uvcg_video_pump, which manages video streaming requests for USB gadget devices emulating UVC functionality. The vulnerability is caused by a double addition of a request to the req_free list, a linked list managing free USB requests. This occurs when an endpoint becomes disabled and the uvcg_video_pump function erroneously adds a request back to the req_free list after it has already been queued to the endpoint. The endpoint completion handler also attempts to add the same request back to the list, resulting in a double add operation. This leads to a kernel BUG triggered by list corruption, causing a kernel panic and system crash. The technical logs indicate that the kernel panic occurs at list_debug.c, confirming the list corruption. The root cause is a failure to invalidate the local request handle after queuing it, allowing the same request to be re-queued improperly. This vulnerability affects Linux kernel versions containing the specified commit hashes and is resolved by ensuring the request handle is invalidated once queued, preventing double addition. There are no known exploits in the wild, and no CVSS score has been assigned yet. The vulnerability impacts the stability and availability of affected Linux systems running USB gadget UVC functionality, potentially causing denial of service through kernel panics.

For European organizations, the primary impact of CVE-2022-49686 is on system availability and reliability. Systems running Linux kernels with the vulnerable USB gadget UVC driver may experience kernel panics leading to unexpected reboots or crashes, disrupting critical services. This is particularly relevant for organizations using embedded Linux devices, IoT gateways, or specialized hardware that utilize USB gadget functionality for video streaming or device emulation. Industrial control systems, telecommunications infrastructure, and media processing equipment in sectors such as manufacturing, healthcare, and broadcasting could be affected if they rely on these Linux kernel features. Although the vulnerability does not directly compromise confidentiality or integrity, the denial of service caused by kernel panics can lead to operational downtime, impacting business continuity and service delivery. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or accidental triggering through malformed USB gadget interactions.

To mitigate CVE-2022-49686, European organizations should prioritize updating their Linux kernel to the latest patched versions that include the fix for this vulnerability. Kernel updates should be tested and deployed promptly, especially on devices utilizing USB gadget UVC functionality. Organizations should audit their device inventory to identify systems employing USB gadget drivers and assess exposure. For embedded and IoT devices where kernel updates may be delayed or difficult, consider disabling USB gadget UVC functionality if not required, reducing the attack surface. Implement monitoring to detect kernel panics or unusual USB gadget behavior that could indicate attempted exploitation or triggering of the flaw. Additionally, enforce strict device control policies to limit unauthorized USB gadget connections, minimizing risk from malicious or malformed USB interactions. In environments where high availability is critical, deploy redundancy and failover mechanisms to mitigate downtime caused by potential kernel crashes. Finally, maintain awareness of vendor advisories and community updates regarding this vulnerability for any emerging exploit techniques or patches.