CVE-2022-49939

HIGH EPSS 2.8%
Published Jun 18, 20251y ago · Modified Jun 17, 20261w ago
7.0 CVSS 3.1
High
Find Similar
Published Jun 18, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of ref->proc caused by race condition A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled. The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spin_lock(&ref->proc->inner_lock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so. ================================================================== BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590 CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: dump_backtrace.part.0+0x1d0/0x1e0 show_stack+0x18/0x70 dump_stack_lvl+0x68/0x84 print_report+0x2e4/0x61c kasan_report+0xa4/0x110 kasan_check_range+0xfc/0x1a4 __kasan_check_write+0x3c/0x50 _raw_spin_lock+0xa8/0x150 binder_deferred_func+0x5e0/0x9b0 process_one_work+0x38c/0x5f0 worker_thread+0x9c/0x694 kthread+0x188/0x190 ret_from_fork+0x10/0x20

CVSS Details

Base Score
7.0
Exploitability
1.0
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-362
CWE-416 Use After Free Memory Safety

Affected Products 9

VendorProductVersionRange
linuxlinux_kernel* <4.14.293
linuxlinux_kernel*≥4.15  –  <4.19.258
linuxlinux_kernel*≥4.20  –  <5.4.213
linuxlinux_kernel*≥5.5  –  <5.10.142
linuxlinux_kernel*≥5.11  –  <5.15.66
linuxlinux_kernel*≥5.16  –  <5.19.8
linuxlinux_kernel6.0any
linuxlinux_kernel6.0any
linuxlinux_kernel6.0any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/06e5b43ca4dab06a92bf4c2f33766e6fb11b880a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/229f47603dd306bc0eb1a831439adb8e48bb0eae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/30d0901b307f27d36b2655fb3048cf31ee0e89c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/603a47f2ae56bf68288784d3c0a8c5b8e0a827ed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9629f2dfdb1dad294b468038ff8e161e94d0b609
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a0e44c64b6061dda7e00b7c458e4523e2331b739
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c2a4b5dc8fa71af73bab704d0cac42ac39767ed6
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/06e5b43ca4dab06a92bf4c2f33766e6fb11b880a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/229f47603dd306bc0eb1a831439adb8e48bb0eae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/30d0901b307f27d36b2655fb3048cf31ee0e89c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/603a47f2ae56bf68288784d3c0a8c5b8e0a827ed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9629f2dfdb1dad294b468038ff8e161e94d0b609
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a0e44c64b6061dda7e00b7c458e4523e2331b739
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c2a4b5dc8fa71af73bab704d0cac42ac39767ed6
    Patch