CVE-2022-50786

Root

Cause

In the Linux kernel's s5p-mfc (Samsung Multi Format Codec ) driver, when a CLOSE_INSTANCE command fails, the ctx_work_bits flag was not cleared. This oversight means that the driver's work queue still believes the context has pending work, even though the context itself may have been freed or invalidated [1][2].

Exploitation

An attacker with the ability to trigger a CLOSE_INSTANCE error on a vulnerable system can cause the driver to later attempt to process work on a stale or freed context. No special privileges beyond local access to the media device are required; the attack surface is the MFC device interface exposed to user space [3][4].

Impact

When the driver subsequently tries to execute work for the un-cleared context, it dereferences a NULL pointer, resulting in a kernel panic. This constitutes a denial-of-service condition can crash the entire system, making it unavailable until reboot [1][4].

Mitigation

The fix, already merged into the stable kernel tree, ensures that ctx_work_bits is always cleared, even on error paths. Users should apply the latest kernel updates from their distribution or directly cherry-pick the commit [2][3].