CVE-2022-1195 in Linux
Summary
by MITRE • 04/29/2022
A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/18/2025
The vulnerability identified as CVE-2022-1195 represents a critical use-after-free condition within the Linux kernel's hamradio driver subsystem. This flaw exists in the drivers/net/hamradio directory and specifically affects the mkiss and sixpack device implementations that handle serial communication for amateur radio applications. The vulnerability stems from improper memory management during device detachment operations where the kernel fails to properly synchronize resource deallocation with ongoing operations, creating a window where freed memory can be accessed after it has been released to the system.
The technical implementation of this vulnerability involves a race condition scenario where a local user can manipulate the device lifecycle through specific ioctl calls or device removal sequences. When the mkiss or sixpack device is detached, the kernel's memory management routines execute a free operation on allocated structures without ensuring that all pending operations have completed. This creates a scenario where subsequent access to the freed memory location can result in kernel crashes, data corruption, or unpredictable behavior that manifests as a denial of service condition. The flaw is classified under CWE-416 as a Use-After-Free vulnerability, where memory is accessed after it has been freed, and represents a classic example of improper resource management in kernel space operations.
The operational impact of CVE-2022-1195 extends beyond simple denial of service to potentially compromise system stability and availability in environments where amateur radio applications are actively used. Local attackers with basic user privileges can exploit this vulnerability to disrupt network services, particularly affecting systems running radio communication software that relies on these kernel drivers. The vulnerability is particularly concerning in embedded systems or specialized communication platforms where amateur radio equipment interfaces are critical for operations, as it could lead to complete system crashes or require manual intervention to restore normal functionality. This type of vulnerability aligns with ATT&CK technique T1068 which covers "Exploitation for Privilege Escalation" and T1499 which addresses "Endpoint Denial of Service" through kernel-level attacks.
Mitigation strategies for CVE-2022-1195 should focus on immediate kernel updates that include proper synchronization mechanisms and memory management fixes. System administrators should prioritize patching affected kernel versions and monitor for any signs of exploitation attempts through log analysis. The recommended approach includes implementing proper reference counting mechanisms and ensuring that device detachment operations wait for all pending operations to complete before freeing memory resources. Additionally, monitoring for unusual device attachment and detachment patterns in system logs can help detect potential exploitation attempts. Organizations should also consider implementing network segmentation and access controls to limit local user privileges where possible, reducing the attack surface for this specific vulnerability. The fix typically involves adding proper locking mechanisms and ensuring that memory deallocation only occurs when no references to the freed memory exist, addressing the fundamental race condition that enables the use-after-free scenario.