CVE-2022-49535

{"id": "CVE-2022-49535", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:29.490", "references": [{"url": "https://git.kernel.org/stable/c/10663ebec0ad5c78493a0dd34c9ee4d73d7ca0df", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/577a942df3de2666f6947bdd3a5c9e8d30073424", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c7dc74ab7975c9b96284abfe4cca756d75fa4604", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI\n\nIf lpfc_issue_els_flogi() fails and returns non-zero status, the node\nreference count is decremented to trigger the release of the nodelist\nstructure. However, if there is a prior registration or dev-loss-evt work\npending, the node may be released prematurely. When dev-loss-evt\ncompletes, the released node is referenced causing a use-after-free null\npointer dereference.\n\nSimilarly, when processing non-zero ELS PLOGI completion status in\nlpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport\nregistration before triggering node removal. If dev-loss-evt work is\npending, the node may be released prematurely and a subsequent call to\nlpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference.\n\nAdd test for pending dev-loss before decrementing the node reference count\nfor FLOGI, PLOGI, PRLI, and ADISC handling."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: lpfc: Se corrige la desreferencia de puntero nulo despu\u00e9s de no poder emitir FLOGI y PLOGI Si lpfc_issue_els_flogi() falla y devuelve un estado distinto de cero, el recuento de referencia del nodo se reduce para activar la liberaci\u00f3n de la estructura de lista de nodos. Sin embargo, si hay un registro previo o trabajo dev-loss-evt pendiente, el nodo puede liberarse prematuramente. Cuando dev-loss-evt se completa, se hace referencia al nodo liberado, lo que provoca una desreferencia de puntero nulo de use-after-free. De manera similar, al procesar el estado de finalizaci\u00f3n de ELS PLOGI distinto de cero en lpfc_cmpl_els_plogi(), se comprueban los indicadores ndlp en busca de un registro de transporte antes de activar la eliminaci\u00f3n del nodo. Si hay trabajo pendiente de dev-loss-evt, el nodo puede liberarse prematuramente y una llamada posterior a lpfc_dev_loss_tmo_handler() da como resultado un uso despu\u00e9s de la desreferencia de ndlp libre. Agregue una prueba para dev-loss pendiente antes de disminuir el recuento de referencias de nodo para la gesti\u00f3n de FLOGI, PLOGI, PRLI y ADISC."}], "lastModified": "2025-11-18T15:09:24.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1AE45B7-B31B-48DF-9F83-959F56624B62", "versionEndExcluding": "5.15.181"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98CD047E-3CA9-4A90-93B0-040784FAD016", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}