Use-after-free in Linux kernel - CVE-2022-49287
Published: February 26, 2025 / Updated: May 11, 2025
Vulnerability identifier: #VU104466
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-49287
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the dev_err() function in drivers/char/tpm/tpm2-space.c, within the tpm_dev_release(), tpm_chip_alloc(), tpm_add_char_device() and tpm_chip_unregister() functions in drivers/char/tpm/tpm-chip.c. A local user can escalate privileges on the system.
How to mitigate CVE-2022-49287
Install update from vendor's website.
Sources
- https://git.kernel.org/stable/c/290e05f346d1829e849662c97e42d5ad984f5258
- https://git.kernel.org/stable/c/2f928c0d5c02dbab49e8c19d98725c822f6fc409
- https://git.kernel.org/stable/c/473a66f99cb8173c14138c5a5c69bfad04e8f9ac
- https://git.kernel.org/stable/c/662893b4f6bd466ff9e1cd454c44c26d32d554fe
- https://git.kernel.org/stable/c/6e7baf84149fb43950631415de231b3a41915aa3
- https://git.kernel.org/stable/c/7e0438f83dc769465ee663bb5dcf8cc154940712
- https://git.kernel.org/stable/c/a27ed2f3695baf15f9b34d2d7a1f9fc105539a81
- https://git.kernel.org/stable/c/cb64bd038beacb4331fe464a36c8b5481e8f51e2
- https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.238