CVE-2022-48874 in Linux
Summary
by MITRE • 08/21/2024
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix use-after-free and race in fastrpc_map_find
Currently, there is a race window between the point when the mutex is unlocked in fastrpc_map_lookup and the reference count increasing (fastrpc_map_get) in fastrpc_map_find, which can also lead to use-after-free.
So lets merge fastrpc_map_find into fastrpc_map_lookup which allows us to both protect the maps list by also taking the &fl->lock spinlock and the reference count, since the spinlock will be released only after. Add take_ref argument to make this suitable for all callers.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/17/2026
The vulnerability identified as CVE-2022-48874 resides within the Linux kernel's fastrpc subsystem, specifically affecting the miscellaneous device driver component. This issue manifests as a use-after-free condition and race window that can potentially compromise system stability and security. The flaw occurs in the interaction between two critical functions: fastrpc_map_lookup and fastrpc_map_find, which are responsible for managing memory mappings within the fastrpc framework. The vulnerability represents a classic concurrency issue where improper synchronization between multiple threads can lead to memory corruption and potential privilege escalation.
The technical root cause stems from a temporal gap in the locking mechanism between the fastrpc_map_lookup and fastrpc_map_get functions. When fastrpc_map_lookup unlocks its mutex to perform the map lookup operation, there exists a window during which another thread could potentially free the memory structure while the reference count is being incremented in fastrpc_map_find. This race condition creates an opportunity for attackers to exploit the system by manipulating concurrent access patterns to trigger memory corruption. The vulnerability specifically targets the management of reference counts and list operations within the fastrpc subsystem, where proper synchronization is crucial to maintain data integrity.
The operational impact of this vulnerability extends beyond simple system instability, potentially enabling attackers to execute arbitrary code with elevated privileges. The use-after-free condition can be leveraged to corrupt memory structures, leading to denial of service or more severe exploitation scenarios where attackers might gain unauthorized access to system resources. The fastrpc subsystem is commonly used in mobile and embedded systems for high-performance communication between user space and kernel space components, making this vulnerability particularly concerning for devices that rely on such mechanisms for critical operations. Security researchers have classified this issue as a medium to high severity vulnerability based on its potential for privilege escalation and system compromise.
Mitigation strategies for CVE-2022-48874 involve implementing a more robust synchronization approach by merging the fastrpc_map_find functionality into fastrpc_map_lookup. This solution ensures that both the maps list protection and reference count management occur under the same spinlock protection, specifically the &fl->lock spinlock that is released only after all operations are completed. The proposed fix introduces a take_ref argument to accommodate all existing callers while maintaining backward compatibility. This approach aligns with common security practices for concurrent programming and follows the principle of least privilege by ensuring proper resource management. The fix addresses the underlying CWE-362 weakness related to race conditions and follows ATT&CK technique T1068 by potentially enabling privilege escalation through memory corruption vulnerabilities. System administrators should prioritize applying the kernel patches that implement this fix, particularly on systems running mobile or embedded Linux distributions that utilize the fastrpc subsystem for device communication.