CVE-2022-50640

Vulnerability

CVE-2022-50640 is a vulnerability in the Linux kernel's MMC core subsystem. When a non-standard SDIO card is removed, a kernel panic can occur. The root cause is that SDIO tuples are only allocated for standard SDIO cards. For non-standard cards, the card device's reference counter is not incremented in sdio_init_func(), but the counter is always decremented in sdio_release_func() during removal. This imbalance leads to a use-after-free or memory corruption, triggering a kernel panic [1][2].

Exploitation

An attacker with physical access to the system could trigger this bug by inserting and then removing a specially crafted non-standard SDIO card. No authentication is needed, but the attacker must be able to physically interact with the SDIO slot. The attack surface is limited to systems that allow hot-plugging of SDIO cards, such as embedded devices, laptops, or single-board computers.

Impact

Successful exploitation causes a kernel panic, leading to a denial of service (DoS) as the system crashes or becomes unstable. The reference count mismatch can also corrupt kernel memory, potentially allowing for further exploitation, though the primary impact is system availability.

Mitigation

The fix, which corrects the reference counting for non-standard cards, has been backported to multiple stable kernel versions (e.g., 5.10, 5.15, 5.4, 4.19) and is available in kernel commits [3][4]. Users should update their kernel to incorporate the patch. No workaround is available other than preventing hotplug of non-standard SDIO cards.