CVE-2022-49900: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: i2c: piix4: Fix adapter not be removed in piix4_remove() In piix4_probe(), the piix4 adapter will be registered in: piix4_probe() piix4_add_adapters_sb800() / piix4_add_adapter() i2c_add_adapter() Based on the probed device type, piix4_add_adapters_sb800() or single piix4_add_adapter() will be called. For the former case, piix4_adapter_count is set as the number of adapters, while for antoher case it is not set and kept default *zero*. When piix4 is removed, piix4_remove() removes the adapters added in piix4_probe(), basing on the piix4_adapter_count value. Because the count is zero for the single adapter case, the adapter won't be removed and makes the sources allocated for adapter leaked, such as the i2c client and device. These sources can still be accessed by i2c or bus and cause problems. An easily reproduced case is that if a new adapter is registered, i2c will get the leaked adapter and try to call smbus_algorithm, which was already freed: Triggered by: rmmod i2c_piix4 && modprobe max31730 BUG: unable to handle page fault for address: ffffffffc053d860 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3752 Comm: modprobe Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core RSP: 0018:ffff888107477710 EFLAGS: 00000246 ... <TASK> i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core bus_for_each_dev (drivers/base/bus.c:301) i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... </TASK> ---[ end trace 0000000000000000 ]--- Fix this problem by correctly set piix4_adapter_count as 1 for the single adapter so it can be normally removed.
AI Analysis
Technical Summary
CVE-2022-49900 is a vulnerability in the Linux kernel's i2c piix4 driver related to improper resource cleanup during adapter removal. The piix4 driver manages I2C adapters on certain hardware platforms. During the probe phase, the driver registers one or more adapters depending on the device type. For multiple adapters (handled by piix4_add_adapters_sb800), the driver correctly sets a count of adapters (piix4_adapter_count). However, for the single adapter case (handled by piix4_add_adapter), this count remains zero by default. When the driver is removed (piix4_remove), it relies on piix4_adapter_count to determine how many adapters to remove and free. Because the count is zero in the single adapter case, the adapter is not removed, causing a resource leak of the adapter, including associated i2c client and device structures. These leaked resources remain accessible via the i2c bus, leading to use-after-free conditions. An example trigger is unloading the i2c_piix4 module (rmmod i2c_piix4) and then loading another module (modprobe max31730), which causes the kernel to access freed memory, resulting in a kernel oops and page fault. The root cause is that the piix4_adapter_count is not set to 1 for the single adapter scenario, preventing proper cleanup. The fix involves correctly setting piix4_adapter_count to 1 in the single adapter case to ensure proper removal and freeing of resources. This vulnerability can lead to kernel crashes and potential denial of service due to memory corruption in kernel space. There is no indication of privilege escalation or remote exploitation, but local module manipulation can trigger the issue.
Potential Impact
For European organizations running Linux systems with hardware using the piix4 i2c driver, this vulnerability can cause kernel instability and crashes, leading to denial of service. This is particularly relevant for servers, embedded systems, or industrial control systems relying on Linux kernels with this driver. The impact is primarily on system availability and reliability. Since the vulnerability involves kernel memory corruption, it could potentially be leveraged in complex attack chains, though no known exploits exist currently. Organizations with critical infrastructure or production environments using affected Linux kernels may experience unexpected downtime or require system reboots to recover. The vulnerability does not directly expose data confidentiality or integrity but can disrupt operations. Given the widespread use of Linux in Europe across sectors such as finance, manufacturing, and public services, the risk of operational disruption is significant if unpatched systems are present. However, exploitation requires local access and module manipulation, limiting remote attack vectors.
Mitigation Recommendations
1. Apply the official Linux kernel patch that sets piix4_adapter_count to 1 for the single adapter case to ensure proper resource cleanup. 2. Update Linux kernel versions to the latest stable releases where this fix is included. 3. Avoid unloading and reloading kernel modules related to i2c_piix4 unless necessary, especially in production environments. 4. Implement strict access controls to limit who can load/unload kernel modules, reducing risk of accidental or malicious triggering. 5. Monitor kernel logs for oops or page fault messages related to i2c or piix4 drivers as early indicators of exploitation attempts or instability. 6. For embedded or industrial systems, coordinate with hardware vendors to confirm driver versions and patch status. 7. Employ kernel live patching solutions where possible to apply fixes without downtime. 8. Conduct thorough testing in staging environments before deploying kernel updates to critical systems to avoid regressions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2022-49900: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: i2c: piix4: Fix adapter not be removed in piix4_remove() In piix4_probe(), the piix4 adapter will be registered in: piix4_probe() piix4_add_adapters_sb800() / piix4_add_adapter() i2c_add_adapter() Based on the probed device type, piix4_add_adapters_sb800() or single piix4_add_adapter() will be called. For the former case, piix4_adapter_count is set as the number of adapters, while for antoher case it is not set and kept default *zero*. When piix4 is removed, piix4_remove() removes the adapters added in piix4_probe(), basing on the piix4_adapter_count value. Because the count is zero for the single adapter case, the adapter won't be removed and makes the sources allocated for adapter leaked, such as the i2c client and device. These sources can still be accessed by i2c or bus and cause problems. An easily reproduced case is that if a new adapter is registered, i2c will get the leaked adapter and try to call smbus_algorithm, which was already freed: Triggered by: rmmod i2c_piix4 && modprobe max31730 BUG: unable to handle page fault for address: ffffffffc053d860 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3752 Comm: modprobe Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core RSP: 0018:ffff888107477710 EFLAGS: 00000246 ... <TASK> i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core bus_for_each_dev (drivers/base/bus.c:301) i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... </TASK> ---[ end trace 0000000000000000 ]--- Fix this problem by correctly set piix4_adapter_count as 1 for the single adapter so it can be normally removed.
AI-Powered Analysis
Technical Analysis
CVE-2022-49900 is a vulnerability in the Linux kernel's i2c piix4 driver related to improper resource cleanup during adapter removal. The piix4 driver manages I2C adapters on certain hardware platforms. During the probe phase, the driver registers one or more adapters depending on the device type. For multiple adapters (handled by piix4_add_adapters_sb800), the driver correctly sets a count of adapters (piix4_adapter_count). However, for the single adapter case (handled by piix4_add_adapter), this count remains zero by default. When the driver is removed (piix4_remove), it relies on piix4_adapter_count to determine how many adapters to remove and free. Because the count is zero in the single adapter case, the adapter is not removed, causing a resource leak of the adapter, including associated i2c client and device structures. These leaked resources remain accessible via the i2c bus, leading to use-after-free conditions. An example trigger is unloading the i2c_piix4 module (rmmod i2c_piix4) and then loading another module (modprobe max31730), which causes the kernel to access freed memory, resulting in a kernel oops and page fault. The root cause is that the piix4_adapter_count is not set to 1 for the single adapter scenario, preventing proper cleanup. The fix involves correctly setting piix4_adapter_count to 1 in the single adapter case to ensure proper removal and freeing of resources. This vulnerability can lead to kernel crashes and potential denial of service due to memory corruption in kernel space. There is no indication of privilege escalation or remote exploitation, but local module manipulation can trigger the issue.
Potential Impact
For European organizations running Linux systems with hardware using the piix4 i2c driver, this vulnerability can cause kernel instability and crashes, leading to denial of service. This is particularly relevant for servers, embedded systems, or industrial control systems relying on Linux kernels with this driver. The impact is primarily on system availability and reliability. Since the vulnerability involves kernel memory corruption, it could potentially be leveraged in complex attack chains, though no known exploits exist currently. Organizations with critical infrastructure or production environments using affected Linux kernels may experience unexpected downtime or require system reboots to recover. The vulnerability does not directly expose data confidentiality or integrity but can disrupt operations. Given the widespread use of Linux in Europe across sectors such as finance, manufacturing, and public services, the risk of operational disruption is significant if unpatched systems are present. However, exploitation requires local access and module manipulation, limiting remote attack vectors.
Mitigation Recommendations
1. Apply the official Linux kernel patch that sets piix4_adapter_count to 1 for the single adapter case to ensure proper resource cleanup. 2. Update Linux kernel versions to the latest stable releases where this fix is included. 3. Avoid unloading and reloading kernel modules related to i2c_piix4 unless necessary, especially in production environments. 4. Implement strict access controls to limit who can load/unload kernel modules, reducing risk of accidental or malicious triggering. 5. Monitor kernel logs for oops or page fault messages related to i2c or piix4 drivers as early indicators of exploitation attempts or instability. 6. For embedded or industrial systems, coordinate with hardware vendors to confirm driver versions and patch status. 7. Employ kernel live patching solutions where possible to apply fixes without downtime. 8. Conduct thorough testing in staging environments before deploying kernel updates to critical systems to avoid regressions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.244Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3fd8
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 8:26:06 PM
Last updated: 8/4/2025, 12:27:44 AM
Views: 14
Related Threats
CVE-2025-8690: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in addix Simple Responsive Slider
MediumCVE-2025-8688: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ebernstein Inline Stock Quotes
MediumCVE-2025-8685: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emilien Wp chart generator
MediumCVE-2025-8621: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in odn Mosaic Generator
MediumCVE-2025-8568: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in prabode GMap Generator
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.