CVE-2022-50745
Description
In the Linux kernel, the following vulnerability has been resolved:
staging: media: tegra-video: fix device_node use after free
At probe time this code path is followed:
- tegra_csi_init
- tegra_csi_channels_alloc
- for_each_child_of_node(node, channel) -- iterates over channels
- automatically gets 'channel'
- tegra_csi_channel_alloc()
- saves into chan->of_node a pointer to the channel OF node
- automatically gets and puts 'channel'
- now the node saved in chan->of_node has refcount 0, can disappear
- tegra_csi_channels_init
- iterates over channels
- tegra_csi_channel_init -- uses chan->of_node
After that, chan->of_node keeps storing the node until the device is removed.
of_node_get() the node and of_node_put() it during teardown to avoid any risk.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's tegra-video driver, a use-after-free of a device_node pointer occurs due to missing reference counting, allowing a potential local privilege escalation.
Vulnerability
Description
In the Linux kernel's staging media driver tegra-video, a use-after-free vulnerability exists in the device_node handling within the Tegra CSI (Camera Serial Interface) initialization path [1]. The root cause is a missing of_node_get() call when storing a pointer to a device tree node. During probe, the function tegra_csi_channels_alloc iterates over child nodes using for_each_child_of_node, which automatically takes and releases a reference to each node. The pointer to the node is saved into chan->of_node without incrementing its reference count. Once the loop iteration completes, the node's reference count drops to zero and it can be freed [2].
Exploitation
An attacker with the ability to load or influence the behavior of the tegra-video driver could exploit this flaw. The use-after-free condition occurs when the driver later calls tegra_csi_channels_init, which accesses the freed chan->of_node pointer [1]. Exploitation requires local access to the system and the ability to trigger the probe sequence of the Tegra CSI driver. While the race window is narrow, a successful trigger could result in memory corruption.
Impact
A successful exploitation of this use-after-free could lead to a denial of service (system crash) or, potentially, local privilege escalation if an attacker can manipulate the freed memory to control execution flow [2]. The vulnerability affects systems using the Tegra video driver in the Linux kernel.
Mitigation
The fix involves adding an of_node_get() call when storing the node pointer and an of_node_put() during driver teardown to ensure proper reference counting [1][2]. The patch has been applied to the stable kernel tree. Users should update their kernel to a version containing this fix. The vulnerability is rated as having a moderate severity due to the local access requirement and the need for specific hardware.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
55451efb2ca30ce50c61245806512c9498fcb0fd003d3c708c4d344163c3aVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0fd003d3c708c80350a815eaf37b8e1114b976cfnvd
- git.kernel.org/stable/c/5451efb2ca30f3c42b9efb8327ce35b62870dbd3nvd
- git.kernel.org/stable/c/6512c9498fcb97e7c760e3ef86b2272f2c0f765fnvd
- git.kernel.org/stable/c/c4d344163c3a7f90712525f931a6c016bbb35e18nvd
- git.kernel.org/stable/c/ce50c612458091d926ccb05d7db11d9f93532db2nvd
News mentions
0No linked articles in our index yet.