CVE-2022-48872 in Linux
Summary
by MITRE • 08/21/2024
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix use-after-free race condition for maps
It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted.
Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. Propagate this to callers so they can know if a map is about to be deleted.
Fixes this warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate ... Call trace: refcount_warn_saturate [fastrpc_map_get inlined]
[fastrpc_map_lookup inlined]
fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_syscall
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/17/2026
The vulnerability CVE-2022-48872 represents a critical use-after-free race condition within the Linux kernel's fastrpc subsystem, specifically affecting the misc device driver responsible for Qualcomm's Fast RPC implementation. This flaw exists in the interaction between multiple reference counting functions and concurrent thread operations, creating a scenario where memory safety is compromised during map lifecycle management. The vulnerability manifests when the fastrpc_map_get() function attempts to increment a reference count on a map structure that may already be in the process of deletion, leading to potential memory corruption and system instability.
The technical root cause stems from improper synchronization mechanisms within the fastrpc subsystem's map management code. When fastrpc_map_get() is called, it should only increment the reference count if the map is still valid and not about to be deleted. However, the original implementation failed to properly check the state of the map before incrementing the reference counter, creating a window where another thread executing fastrpc_map_lookup() could obtain a reference to a map that was already scheduled for deletion. This race condition directly violates the fundamental principles of concurrent programming and memory safety, as outlined in CWE-362 - Concurrent Execution using Shared Resource with Unprotected Read-Write Access.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation and system compromise. Attackers could exploit this race condition to manipulate memory contents, leading to arbitrary code execution within kernel space. The warning message "refcount_t: addition on 0; use-after-free" specifically indicates that the reference counter has been incremented on a zero value, which is a clear indicator of attempting to use memory that has already been freed. This pattern aligns with ATT&CK technique T1068 - Exploitation for Privilege Escalation, where adversaries leverage kernel-level vulnerabilities to gain elevated privileges.
The fix implemented addresses the core issue by modifying fastrpc_map_get() to only increment reference counts when the map has a non-zero reference count, effectively preventing the use-after-free condition. This change requires propagating the updated behavior to all callers, ensuring they can properly detect when a map is about to be deleted and handle such scenarios appropriately. The solution follows established best practices for concurrent programming and memory management, preventing the addition to a zero reference counter that would otherwise lead to system crashes or exploitable conditions. This remediation directly addresses the race condition by ensuring proper synchronization between map creation, lookup, and deletion operations, thereby maintaining the integrity of the fastrpc subsystem and preventing unauthorized access to freed memory structures.