CVE-2022-49935

In the Linux kernel, the following vulnerability has been resolved: dma-buf/dma-resv: check if the new fence is really later Previously when we added a fence to a dma_resv object we always assumed the the newer than all the existing fences. With Jason's work to add an UAPI to explicit export/import that's not necessary the case any more. So without this check we would allow userspace to force the kernel into an use after free error. Since the change is very small and defensive it's probably a good idea to backport this to stable kernels as well just in case others are using the dma_resv object in the same way.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/a3f7c10a269d5b77dd5822ade822643ced3057f0	Patch
https://git.kernel.org/stable/c/c4c798fe98adceb642050819cb57cbc8f5c27870	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc3::::::

History

14 Nov 2025, 20:24

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
References	~~() https://git.kernel.org/stable/c/a3f7c10a269d5b77dd5822ade822643ced3057f0 -~~	() https://git.kernel.org/stable/c/a3f7c10a269d5b77dd5822ade822643ced3057f0 - Patch
References	~~() https://git.kernel.org/stable/c/c4c798fe98adceb642050819cb57cbc8f5c27870 -~~	() https://git.kernel.org/stable/c/c4c798fe98adceb642050819cb57cbc8f5c27870 - Patch
CWE		CWE-416
First Time		Linux linux Kernel Linux
CPE		cpe:2.3:o:linux:linux_kernel:6.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.0:rc3::::::

Information

Published : 2025-06-18 11:15

Updated : 2025-11-14 20:24

NVD link : CVE-2022-49935

Mitre link : CVE-2022-49935

CVE.ORG link : CVE-2022-49935

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2022-49935", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:20.340", "references": [{"url": "https://git.kernel.org/stable/c/a3f7c10a269d5b77dd5822ade822643ced3057f0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c4c798fe98adceb642050819cb57cbc8f5c27870", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/dma-resv: check if the new fence is really later\n\nPreviously when we added a fence to a dma_resv object we always\nassumed the the newer than all the existing fences.\n\nWith Jason's work to add an UAPI to explicit export/import that's not\nnecessary the case any more. So without this check we would allow\nuserspace to force the kernel into an use after free error.\n\nSince the change is very small and defensive it's probably a good\nidea to backport this to stable kernels as well just in case others\nare using the dma_resv object in the same way."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dma-buf/dma-resv: comprobar si la nueva valla es realmente posterior. Anteriormente, al a\u00f1adir una valla a un objeto dma_resv, siempre supon\u00edamos que era m\u00e1s reciente que todas las vallas existentes. Gracias al trabajo de Jason para a\u00f1adir una UAPI a la exportaci\u00f3n/importaci\u00f3n expl\u00edcita, esto ya no es necesario. Por lo tanto, sin esta comprobaci\u00f3n, permitir\u00edamos que el espacio de usuario forzara al kernel a un error de Use-After-Free. Dado que el cambio es muy peque\u00f1o y defensivo, probablemente sea buena idea retroportarlo tambi\u00e9n a los kernels estables, por si acaso otros utilizan el objeto dma_resv de la misma manera."}], "lastModified": "2025-11-14T20:24:22.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40609647-0783-4105-9869-6AF27151B4D3", "versionEndExcluding": "5.19.8", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A46498B3-78E1-4623-AAE1-94D29A42BE4E"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}