CVE-2022-49755

HIGH EPSS 12.4%
Published Mar 27, 20251y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Mar 27, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait While performing fast composition switch, there is a possibility that the process of ffs_ep0_write/ffs_ep0_read get into a race condition due to ep0req being freed up from functionfs_unbind. Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex).

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
12.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥2.6.35  –  <4.14.305
linuxlinux_kernel*≥4.15  –  <4.19.272
linuxlinux_kernel*≥4.20  –  <5.4.231
linuxlinux_kernel*≥5.5  –  <5.10.166
linuxlinux_kernel*≥5.11  –  <5.15.91
linuxlinux_kernel*≥5.16  –  <6.1.9
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/6a19da111057f69214b97c62fb0ac59023970850
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6aee197b7fbcd61596a78b47d553f2f99111f217
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6dd9ea05534f323668db94fcc2726c7a84547e78
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a8d40942df074f4ebcb9bd3413596d92f323b064
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ae8e136bcaae96163b5821984de1036efc9abb1a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/facf353c9e8d7885b686d9a4b173d4e0af6441d2
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/6a19da111057f69214b97c62fb0ac59023970850
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6aee197b7fbcd61596a78b47d553f2f99111f217
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6dd9ea05534f323668db94fcc2726c7a84547e78
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a8d40942df074f4ebcb9bd3413596d92f323b064
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ae8e136bcaae96163b5821984de1036efc9abb1a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/facf353c9e8d7885b686d9a4b173d4e0af6441d2
    Patch