CVE-2022-50542

/* * CVE-2022-50542 PoC - Trigger Use-After-Free in si470x driver * This PoC demonstrates the race condition between URB callback * and device object free in si470x_usb_driver_probe(). * * Note: Requires a malicious or specially crafted USB device * to trigger the vulnerable code path. */ #include <linux/module.h> #include <linux/usb.h> #include <linux/slab.h> #include <linux/delay.h> // Simulate the vulnerable si470x device structure struct si470x_device { struct usb_device *usbdev; struct urb *int_in_urb; unsigned char *int_in_buffer; // ... other fields }; // Vulnerable callback function static void si470x_int_in_callback(struct urb *urb) { struct si470x_device *radio = urb->context; // UAF: radio may have been freed already if (radio) { // Accessing freed memory here triggers UAF dev_info(&radio->usbdev->dev, "URB callback triggered\n"); } } // Simulate the vulnerable probe function static int si470x_usb_driver_probe(struct usb_interface *intf, const struct usb_device_id *id) { struct si470x_device *radio; int retval; radio = kzalloc(sizeof(*radio), GFP_KERNEL); if (!radio) return -ENOMEM; radio->usbdev = interface_to_usbdev(intf); radio->int_in_urb = usb_alloc_urb(0, GFP_KERNEL); radio->int_in_buffer = kzalloc(8, GFP_KERNEL); // Fill URB usb_fill_int_urb(radio->int_in_urb, radio->usbdev, usb_rcvintpipe(radio->usbdev, 1), radio->int_in_buffer, 8, si470x_int_in_callback, radio, 1); // Submit URB - succeeds retval = usb_submit_urb(radio->int_in_urb, GFP_KERNEL); if (retval) { kfree(radio); return retval; } // Simulate si470x_start() failure retval = -EIO; // Force failure if (retval < 0) { // BUG: URB is submitted but not killed before free kfree(radio); // UAF occurs when callback fires } return retval; } static void __exit poc_exit(void) { printk(KERN_INFO "PoC module unloaded\n"); } module_exit(poc_exit); MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("CVE-2022-50542 PoC");

{"cve": {"id": "CVE-2022-50542", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:38.557", "lastModified": "2026-02-26T23:17:03.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: si470x: Fix use-after-free in si470x_int_in_callback()\n\nsyzbot reported use-after-free in si470x_int_in_callback() [1]. This\nindicates that urb->context, which contains struct si470x_device\nobject, is freed when si470x_int_in_callback() is called.\n\nThe cause of this issue is that si470x_int_in_callback() is called for\nfreed urb.\n\nsi470x_usb_driver_probe() calls si470x_start_usb(), which then calls\nusb_submit_urb() and si470x_start(). If si470x_start_usb() fails,\nsi470x_usb_driver_probe() doesn't kill urb, but it just frees struct\nsi470x_device object, as depicted below:\n\nsi470x_usb_driver_probe()\n ...\n si470x_start_usb()\n ...\n usb_submit_urb()\n retval = si470x_start()\n return retval\n if (retval < 0)\n free struct si470x_device object, but don't kill urb\n\nThis patch fixes this issue by killing urb when si470x_start_usb()\nfails and urb is submitted. If si470x_start_usb() fails and urb is\nnot submitted, i.e. submitting usb fails, it just frees struct\nsi470x_device object."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "4.9.337", "matchCriteriaId": "9DB1B0E4-EEEF-4E3F-874D-0DF40E79F079"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.303", "matchCriteriaId": "1E7450AD-4739-46F0-B81B-C02E7B35A97B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.270", "matchCriteriaId": "AE8904A3-99BE-4E49-9682-1F90A6373F4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A0C0D95E-414A-445E-941B-3EF6A4D3A093"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.86", "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0ca298d548461d29615f9a2b1309e8dcf4a352c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/146bd005ebb01ae190c22af050cb98623958c373", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1c6447d0fc68650e51586dde79b5090d9d77f13a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/52f54fe78cca24850a30865037250f63eb3d5bf7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/63648a7bd1a7599bcc2040a6d1792363ae4c2e1b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6c8aee0c8fcc6dda94315f7908e8fa9bc75abe75", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7d21e0b1b41b21d628bf2afce777727bd4479aa5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8c6151b8e8dd2d98ad2cd725d26d1e103d989891", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/sta ... (truncated)