CVE-2022-50725
Description
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init()
KASAN reports a use-after-free: BUG: KASAN: use-after-free in dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] Call Trace: ... dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] vidtv_bridge_probe+0x7bf/0xa40 [dvb_vidtv_bridge] platform_probe+0xb6/0x170 ... Allocated by task 1238: ... dvb_register_device+0x1a7/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] ... Freed by task 1238: dvb_register_device+0x6d2/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] ...
It is because the error handling in vidtv_bridge_dvb_init() is wrong.
First, vidtv_bridge_dmx(dev)_init() will clean themselves when fail, but goto fail_dmx(_dev): calls release functions again, which causes use-after-free.
Also, in fail_fe, fail_tuner_probe and fail_demod_probe, j = i will cause out-of-bound when i finished its loop (i == NUM_FE). And the loop releasing is wrong, although now NUM_FE is 1 so it won't cause problem.
Fix this by correctly releasing everything.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free bug in the Linux kernel's vidtv bridge driver can be triggered during probe when error handling incorrectly releases resources.
Vulnerability
CVE-2022-50725 is a use-after-free vulnerability in the Linux kernel's vidtv media driver, specifically in the vidtv_bridge_dvb_init() function. The root cause is flawed error handling: when a failure occurs during device initialization, the functions vidtv_bridge_dmx(dev)_init() clean up their own resources, but the code then jumps to a fail_dmx(_dev) label that calls release functions a second time, leading to a use-after-free condition. A KASAN report demonstrates the freed memory being accessed in dvb_dmxdev_release() [1].
Exploitation
An attacker would need the ability to trigger the vidtv_bridge_probe() call, which occurs during driver initialization. This is typically possible only with physical access to the system or by loading the vidtv module from within the kernel, making exploitation unlikely in ordinary desktop or server environments. The vulnerability is triggered during probe error handling, when a subsystem (like the DVB frontend or demux) fails and the driver cleans up incorrectly.
Impact
Successful exploitation could cause a kernel crash (denial of service) or potentially allow an attacker to execute arbitrary code in kernel context, depending on memory layout and timing. The use-after-free occurs in core DVB functions, so an attacker who can control the freed memory could corrupt kernel structures.
Mitigation
The vulnerability is fixed in Linux kernel commit c290aa527fd8, applied to stable trees [2][3]. Users should update to a kernel version containing the fix. No workaround is available; the vidtv driver is typically not enabled in production systems, so disabling or not building the CONFIG_DVB_VIDTV_BRIDGE option eliminates exposure.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
50369af6fe33dc290aa527fd806398ce695718a204a0b4a0dba8d94059350Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0369af6fe33d4053899b121b32e91f870b2cf0aenvd
- git.kernel.org/stable/c/06398ce69571a43a8a0dd0f1bfe35d221f726a6anvd
- git.kernel.org/stable/c/8a204a0b4a0d105229735222c515759ea2b126c1nvd
- git.kernel.org/stable/c/ba8d9405935097e296bcf7a942c3a01df0edb865nvd
- git.kernel.org/stable/c/c290aa527fd832d278c6388a3ba53a9890fbd74anvd
News mentions
0No linked articles in our index yet.