CVE-2022-49308 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: extcon: Modify extcon device to be created after driver data is set Currently, someone can invoke the sysfs such as state_show() intermittently before dev_set_drvdata() is done. And it can be a cause of kernel Oops because of edev is Null at that time. So modified the driver registration to after setting drviver data. - Oops's backtrace. Backtrace: [<c067865c>] (state_show) from [<c05222e8>] (dev_attr_show) [<c05222c0>] (dev_attr_show) from [<c02c66e0>] (sysfs_kf_seq_show) [<c02c6648>] (sysfs_kf_seq_show) from [<c02c496c>] (kernfs_seq_show) [<c02c4938>] (kernfs_seq_show) from [<c025e2a0>] (seq_read) [<c025e11c>] (seq_read) from [<c02c50a0>] (kernfs_fop_read) [<c02c5064>] (kernfs_fop_read) from [<c0231cac>] (__vfs_read) [<c0231c5c>] (__vfs_read) from [<c0231ee0>] (vfs_read) [<c0231e34>] (vfs_read) from [<c0232464>] (ksys_read) [<c02323f0>] (ksys_read) from [<c02324fc>] (sys_read) [<c02324e4>] (sys_read) from [<c00091d0>] (__sys_trace_return)

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

References

Link	Providers
https://git.kernel.org/stable/c/033ec4e7e59ae5e1ef1e8c10bc6552926044ed1c
https://git.kernel.org/stable/c/35ff1ac55d301efb3f467cf5426faaeb3452994b
https://git.kernel.org/stable/c/368e68ad6da4317fc4170e8d92b51c13d1bfe7a7
https://git.kernel.org/stable/c/5dcc2afe716d69f5112ce035cb14f007461ff189
https://git.kernel.org/stable/c/6e721f3ad0535b24f19a62420f4da95212cf069c
https://git.kernel.org/stable/c/abf3b222614f49f98e606fccdd269161c0d70204
https://git.kernel.org/stable/c/cb81ea998c461868d1168411a867d8ffee12f23f
https://git.kernel.org/stable/c/d472c78cc82999d07bd09193a6718016ce9cd386
https://lore.kernel.org/linux-cve-announce/2025022635-CVE-2022-49308-23f0@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-49308
https://www.cve.org/CVERecord?id=CVE-2022-49308

History

Wed, 26 Feb 2025 13:45:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025022635-CVE-2022-49308-23f0@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2022-49308 https://www.cve.org/CVERecord?id=CVE-2022-49308
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 26 Feb 2025 02:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: extcon: Modify extcon device to be created after driver data is set Currently, someone can invoke the sysfs such as state_show() intermittently before dev_set_drvdata() is done. And it can be a cause of kernel Oops because of edev is Null at that time. So modified the driver registration to after setting drviver data. - Oops's backtrace. Backtrace: [<c067865c>] (state_show) from [<c05222e8>] (dev_attr_show) [<c05222c0>] (dev_attr_show) from [<c02c66e0>] (sysfs_kf_seq_show) [<c02c6648>] (sysfs_kf_seq_show) from [<c02c496c>] (kernfs_seq_show) [<c02c4938>] (kernfs_seq_show) from [<c025e2a0>] (seq_read) [<c025e11c>] (seq_read) from [<c02c50a0>] (kernfs_fop_read) [<c02c5064>] (kernfs_fop_read) from [<c0231cac>] (__vfs_read) [<c0231c5c>] (__vfs_read) from [<c0231ee0>] (vfs_read) [<c0231e34>] (vfs_read) from [<c0232464>] (ksys_read) [<c02323f0>] (ksys_read) from [<c02324fc>] (sys_read) [<c02324e4>] (sys_read) from [<c00091d0>] (__sys_trace_return)
Title		extcon: Modify extcon device to be created after driver data is set
References		https://git.kernel.org/stable/c/033ec4e7e59ae5e1ef1e8c10bc6552926044ed1c https://git.kernel.org/stable/c/35ff1ac55d301efb3f467cf5426faaeb3452994b https://git.kernel.org/stable/c/368e68ad6da4317fc4170e8d92b51c13d1bfe7a7 https://git.kernel.org/stable/c/5dcc2afe716d69f5112ce035cb14f007461ff189 https://git.kernel.org/stable/c/6e721f3ad0535b24f19a62420f4da95212cf069c https://git.kernel.org/stable/c/abf3b222614f49f98e606fccdd269161c0d70204 https://git.kernel.org/stable/c/cb81ea998c461868d1168411a867d8ffee12f23f https://git.kernel.org/stable/c/d472c78cc82999d07bd09193a6718016ce9cd386

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-02-26T02:10:39.648Z

Updated: 2025-05-04T08:34:53.112Z

Reserved: 2025-02-26T02:08:31.536Z

Link: CVE-2022-49308

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-02-26T07:01:07.607

Modified: 2025-02-26T07:01:07.607

Link: CVE-2022-49308

Redhat

Severity : Low

Publid Date: 2025-02-26T00:00:00Z

Links: CVE-2022-49308 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object