CVE-2022-49010 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (coretemp) Check for null before removing sysfs attrs
If coretemp_add_core() gets an error then pdata->core_data[indx]
is already NULL and has been kfreed. Don't pass that to sysfs_remove_group() as that will crash in sysfs_remove_group().
[Shortened for readability]
[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'
[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188
[91855.165103] #PF: supervisor read access in kernel mode
[91855.194506] #PF: error_code(0x0000) - not-present page
[91855.224445] PGD 0 P4D 0
[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI
... [91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80
... [91855.796571] Call Trace:
[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp]
[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp]
[91855.871107] cpuhp_invoke_callback+0x105/0x4b0
[91855.893432] cpuhp_thread_fun+0x8e/0x150
...
Fix this by checking for NULL first.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability described in CVE-2022-49010 resides within the Linux kernel's hardware monitoring subsystem, specifically in the coretemp driver responsible for temperature monitoring of cpu cores. This issue represents a classic null pointer dereference scenario that occurs during the cleanup process when a cpu is taken offline. The flaw manifests when the coretemp_add_core() function encounters an error condition, resulting in pdata->core_data[indx] being set to NULL and subsequently freed through kernel memory management functions. The problematic behavior occurs because the driver attempts to pass this already-null pointer to sysfs_remove_group() function, which expects valid sysfs attribute group structures. This particular vulnerability falls under CWE-476 which categorizes null pointer dereference conditions as a critical class of software defects that can lead to system crashes and potential privilege escalation scenarios.
The technical execution of this vulnerability begins with the coretemp driver's cpu offline processing path where the kernel attempts to remove hardware monitoring attributes from the sysfs filesystem. During normal operation, the driver manages temperature sensors for each cpu core and maintains sysfs entries that expose temperature readings to user-space applications. When an error occurs during core initialization, the driver correctly identifies the failure and sets the corresponding data structure to NULL, indicating that no valid monitoring data exists for that particular core. However, the cleanup logic fails to account for this null state when attempting to remove sysfs attributes, leading to an immediate kernel crash when sysfs_remove_group() tries to process what it believes to be a valid sysfs group structure but instead encounters a null pointer. The kernel oops trace confirms this behavior with the RIP pointing directly to sysfs_remove_group+0xc/0x80, indicating that the function is attempting to dereference a null pointer at address 0x0000000000000188, which corresponds to a typical null pointer access pattern.
The operational impact of this vulnerability extends beyond simple system instability, as it can result in complete system crashes and potential denial of service conditions in environments where cpu hotplugging is frequently utilized. This issue affects systems running Linux kernel versions that include the coretemp driver and are configured to support dynamic cpu core management. The vulnerability is particularly concerning in server environments where cpu hotplugging is commonly used for power management, performance optimization, or hardware maintenance operations. When triggered, the system experiences a kernel NULL pointer dereference that results in a kernel oops and subsequent system crash, potentially leading to data loss or service disruption. The crash occurs specifically during cpu offline processing, which means that any automated system management or power management features relying on cpu hotplug functionality could be compromised, creating a cascading failure scenario that affects system stability and availability. This vulnerability directly maps to attack techniques categorized under the MITRE ATT&CK framework in the privilege escalation and denial of service domains, where adversaries could potentially exploit such kernel-level flaws to cause system instability or gain elevated privileges through carefully crafted system management operations.
The recommended mitigation strategy involves implementing a simple null pointer check before calling sysfs_remove_group() within the coretemp driver's cleanup logic. This fix requires modifying the coretemp_cpu_offline() function to verify that the pdata->core_data[indx] pointer is not NULL before attempting to remove sysfs attributes. The solution aligns with standard kernel development practices for handling error conditions and resource cleanup, ensuring that all cleanup operations are defensive against null pointer scenarios. System administrators should ensure that affected systems are updated with kernel versions containing the patched coretemp driver implementation, which typically involves applying the specific kernel patch that introduces the null check. Organizations should also monitor their systems for potential exploitation attempts and implement appropriate system hardening measures, including kernel security modules and monitoring solutions that can detect anomalous cpu hotplug activity patterns that might indicate exploitation attempts. The fix represents a minimal code change that addresses the root cause without altering the driver's functionality, making it suitable for deployment across various Linux distributions and kernel versions while maintaining system stability and security posture.