PT-2025-8434 · Linux+3 · Linux Kernel+3

Lukas Wunner

Published

2022-01-01

Updated

2025-04-14

CVE-2022-49501

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability in the Linux kernel has been identified, related to the handling of USB Ethernet adapters. The issue arises from a use-after-free error on disconnect, which was attempted to be fixed by a commit that reversed the order of unbind and unregister netdev operations. However, this fix introduced asymmetry in the binding and unbinding process, leading to unnecessary stopping of a PHY (Physical Layer) device. The correct fix involves reverting this commit to restore the original order of operations.

Recommendations For the Linux kernel, revert the commit 2c9d6c2b871d to restore the original order of unbind and unregister netdev operations, allowing for the call to phy stop() to be unconditional in the ->stop() function.

Exploit

Fix

Use After Free

Double Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416CWE-415

Related Identifiers

BDU:2025-04338

CVE-2022-49501

SUSE-SU-2025:1027-1

SUSE-SU-2025:1176-1

SUSE-SU-2025:1183-1

SUSE-SU-2025:1241-1

SUSE-SU-2025_1027-1

SUSE-SU-2025_1241-1

Affected Products

Astra Linux

Debian

Linux Kernel

Suse

PT-2025-8434 · Linux+3 · Linux Kernel+3

CVE-2022-49501

Weakness Enumeration

Related Identifiers

Affected Products

References · 1336