CVE-2022-49010

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability in the Linux kernel has been resolved, related to the hwmon coretemp module. The issue occurs when coretemp add core() encounters an error, causing pdata->core data[indx] to be NULL and kfreed. Passing this NULL value to sysfs remove group() results in a crash. This can lead to a kernel NULL pointer dereference, as seen in the error log with a BUG message and a call trace involving sysfs remove group() and coretemp cpu offline(). The estimated number of potentially affected devices worldwide is not available.

Recommendations To resolve this issue, check for NULL before removing sysfs attrs in the coretemp module. Specifically, modify the code to check if pdata->core data[indx] is NULL before passing it to sysfs remove group(). As a temporary workaround, consider disabling the coretemp module until a patch is available. However, the most effective solution is to apply the fix by checking for NULL first, as described in the vulnerability resolution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.