CVE-2022-50785
Description
In the Linux kernel, the following vulnerability has been resolved:
fsi: occ: Prevent use after free
Use get_device and put_device in the open and close functions to make sure the device doesn't get freed while a file descriptor is open. Also, lock around the freeing of the device buffer and check the buffer before using it in the submit function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's FSI OCC driver, improper device reference counting could lead to a use-after-free when a file descriptor outlives the device.
Vulnerability
Analysis
The vulnerability resides in the FSI (Flexible Support Interface) OCC (On-Chip Controller) driver within the Linux kernel. The root cause is insufficient device lifecycle management: the driver failed to properly increment and decrement the device's reference count using get_device and put_device during file descriptor open and close operations [1]. This oversight means a device could be freed from memory while a user-space file descriptor still holds a reference to it, leading to a use-after-free condition. Additionally, the driver lacked proper locking when freeing the device's internal buffer and did not validate the buffer's existence before using it in the submit function [1].
Exploitation
Conditions
To exploit this vulnerability, an attacker would require local access to the system and the ability to open a file descriptor on the FSI OCC device (e.g., /dev/occ). The attack scenario involves keeping a file descriptor open while triggering device removal (e.g., via hot-unplug or driver unbind), causing the kernel to free the device structure. Subsequent operations on the dangling file descriptor—such as an IOCTL submit call—would then access freed memory [1]. No authentication beyond local user access to the device node is needed.
Impact
A successful exploit could allow a local attacker to cause a denial of service (system crash or memory corruption) or potentially escalate privileges, if the freed memory is repurposed and controlled. The use-after-free in the OCC driver could lead to arbitrary code execution in kernel context, though the primary impact cited is memory safety [1].
Mitigation
Status
This vulnerability is patched in the Linux kernel. The fix adds proper get_device/put_device calls in the open and close functions, locks around buffer freeing, and a NULL check before using the buffer in the submit function [1]. Users should update to a kernel version containing the commit 3593e8efc9f0dac6be70bd5c964eadaa86bf2713 or later [1]. No workaround is available without patching.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
31d5ad0a874dd3593e8efc9f0d3e1e2460403Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.