CVE-2022-50767

Vulnerability

Description

CVE-2022-50767 describes several use-after-free (UAF) vulnerabilities in the Linux kernel's smscufx framebuffer driver. The root cause is improper handling of device removal: when a USB device is physically disconnected, the driver's data structures can be freed while still being accessed, leading to UAF conditions [1][2][3].

Exploitation

An attacker with physical access to a system using the affected driver can trigger these UAFs by simply unplugging the USB device. No authentication or special privileges are required beyond the ability to physically remove the device. The attack surface is limited to systems with the smscufx driver loaded and a compatible USB display adapter attached [1][2][3].

Impact

Successful exploitation could allow an attacker to cause a denial-of-service the system (kernel crash) or potentially execute arbitrary code in kernel context, depending on the specific UAF scenario. The vulnerabilities are classified as high severity due to the possibility of privilege escalation privilege escalation [1][2][3].

Mitigation

The fix introduces a ufx_ops_destroy() function assigned to fb_ops.fb_destroy, which uses kref_put() to safely release the device only after all references are dropped. This prevents the UAFs by ensuring proper reference counting during device removal. The patch has been applied to the Linux kernel stable branches [1][2][3]. Users should update to a kernel version containing the fix.