CVE-2022-49419

{"id": "CVE-2022-49419", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:18.350", "references": [{"url": "https://git.kernel.org/stable/c/0fac5f8fb1bc2fc4f8714bf5e743c9cc3f547c63", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/acde4003efc16480375543638484d8f13f2e99a3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d260cad015945d1f4bb9b028a096f648506106a2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f605f5558ecc175ec70016a3c15f007cb6386531", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup\n\nCommit b3c9a924aab6 (\"fbdev: vesafb: Cleanup fb_info in .fb_destroy rather\nthan .remove\") fixed a use-after-free error due the vesafb driver freeing\nthe fb_info in the .remove handler instead of doing it in .fb_destroy.\n\nThis can happen if the .fb_destroy callback is executed after the .remove\ncallback, since the former tries to access a pointer freed by the latter.\n\nBut that change didn't take into account that another possible scenario is\nthat .fb_destroy is called before the .remove callback. For example, if no\nprocess has the fbdev chardev opened by the time the driver is removed.\n\nIf that's the case, fb_info will be freed when unregister_framebuffer() is\ncalled, making the fb_info pointer accessed in vesafb_remove() after that\nto no longer be valid.\n\nTo prevent that, move the expression containing the info->par to happen\nbefore the unregister_framebuffer() function call."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: video: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup Commit b3c9a924aab6 (\"fbdev: vesafb: Cleanup fb_info in .fb_destroy rather than .remove\") corrigi\u00f3 un error de use-after-free debido a que el controlador vesafb liberaba fb_info en el controlador .remove en lugar de hacerlo en .fb_destroy. Esto puede suceder si la devoluci\u00f3n de llamada .fb_destroy se ejecuta despu\u00e9s de la devoluci\u00f3n de llamada .remove, ya que la primera intenta acceder a un puntero liberado por la segunda. Pero ese cambio no tuvo en cuenta que otro escenario posible es que se llame a .fb_destroy antes de la devoluci\u00f3n de llamada .remove. Por ejemplo, si ning\u00fan proceso tiene abierto el fbdev chardev en el momento en que se elimina el controlador. Si ese es el caso, fb_info se liberar\u00e1 cuando se llame a unregister_framebuffer(), lo que har\u00e1 que el puntero fb_info al que se accedi\u00f3 en vesafb_remove() despu\u00e9s de eso ya no sea v\u00e1lido. Para evitarlo, mueva la expresi\u00f3n que contiene info->par para que suceda antes de la llamada a la funci\u00f3n unregister_framebuffer()."}], "lastModified": "2025-03-24T19:57:48.187", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85BFCBED-AE6A-4374-BB72-828A4D80AF2D", "versionEndExcluding": "5.15.46", "versionStartIncluding": "5.15.41"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A40FD6B9-AD46-4C81-B897-DBBFEA16128C", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.17.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}