CVE-2022-49755 is a high-severity vulnerability in the Linux kernel affecting the USB gadget subsystem, specifically the functionfs (function filesystem) driver. The vulnerability arises from a race condition during the fast composition switch process involving the endpoint zero request (ep0req) used in control endpoint communication. In detail, the functions ffs_ep0_write and ffs_ep0_read can enter a race condition because the ep0req structure may be freed asynchronously by functionfs_unbind without proper synchronization. When ffs_ep0_write calls ffs_ep0_queue_wait, it acquires a lock on ffs->ev.waitq.lock, but functionfs_unbind can concurrently set ep0req to NULL without a NULL check in ffs_ep0_queue_wait, leading to a use-after-free (CWE-416) condition. This flaw can cause memory corruption, potentially allowing an attacker with limited privileges to execute arbitrary code or cause denial of service by crashing the kernel. The fix involves introducing serialized execution between these functions using a mutex (ffs->mutex) to prevent concurrent access and ensure ep0req is not freed while in use. The vulnerability has a CVSS 3.1 score of 7.8, indicating high severity, with attack vector local, low attack complexity, requiring low privileges and no user interaction, and impacts confidentiality, integrity, and availability. No known exploits are reported in the wild yet, but the vulnerability affects Linux kernel versions prior to the patch commit identified by the hash ddf8abd2599491cbad959c700b90ba72a5dce8d0.

For European organizations, this vulnerability poses a significant risk especially to environments running Linux-based systems with USB gadget functionality enabled, such as embedded devices, IoT gateways, network appliances, and servers that utilize functionfs for USB device emulation. Exploitation could lead to kernel crashes, denial of service, or privilege escalation, compromising system availability and potentially allowing attackers to execute arbitrary code with kernel privileges. This is particularly critical for sectors relying on Linux for critical infrastructure, industrial control systems, telecommunications, and cloud services. The local attack vector means that attackers need some level of access to the system, which could be achieved through compromised user accounts or insider threats. Given the widespread use of Linux in European data centers, government agencies, and enterprises, unpatched systems could be targeted for disruption or lateral movement within networks. The absence of known exploits currently reduces immediate risk, but the high severity and ease of exploitation once local access is gained necessitate prompt remediation to prevent future attacks.

European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2022-49755. Specifically, they should apply the patch that introduces mutex-based serialization between ffs_ep0_write/ffs_ep0_read and functionfs_unbind to eliminate the race condition. For embedded and IoT devices where kernel updates may be challenging, organizations should work with vendors to obtain patched firmware or consider network segmentation to isolate vulnerable devices. Additionally, implement strict access controls and monitoring to limit local user privileges and detect suspicious activity indicative of attempts to exploit kernel vulnerabilities. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enable security modules like SELinux or AppArmor to reduce exploitation likelihood. Regularly audit USB gadget usage and disable functionfs if not required. Finally, maintain an up-to-date inventory of Linux systems and ensure rapid deployment of security patches through automated configuration management tools.