PT-2025-25862 · Linux+4 · Linux Kernel+4

Published

2022-08-30

Updated

2025-07-28

CVE-2022-49936

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.18.0

Description A recursive locking violation was discovered in the Linux kernel's USB storage component. This issue was identified through automatic kernel fuzzing and occurs due to a nested device-reset call. The USB core lacks protection against such nested resets, which can lead to recursive locking violations. The vulnerability is not related to an error in usb-storage but rather a result of a nested device reset attempt.

Recommendations For Linux kernel versions prior to 5.18.0, consider applying a patch that adds a reset in progress flag to prevent nested device resets. As a temporary workaround, avoid performing resets as part of disconnect processing to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-833

Related Identifiers

BDU:2026-02345

CESA-2023_2951

CVE-2022-49936

RHSA-2023:2458

RHSA-2023:2951

RHSA-2023_2458

RHSA-2023_2951

SUSE-SU-2025:02264-1

SUSE-SU-2025:02308-1

SUSE-SU-2025:02320-1

SUSE-SU-2025:02321-1

SUSE-SU-2025:02322-1

SUSE-SU-2025:02334-1

SUSE-SU-2025:02537-1

SUSE-SU-2025:2264-1

SUSE-SU-2025_02264-1

SUSE-SU-2025_02308-1

SUSE-SU-2025_02334-1

SUSE-SU-2025_02537-1

Affected Products

Astra Linux

Centos

Linux Kernel

Red Hat

Suse

PT-2025-25862 · Linux+4 · Linux Kernel+4

CVE-2022-49936

Weakness Enumeration

Related Identifiers

Affected Products

References · 748