CVE-2022-49151 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: properly check endpoint type
Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. We should check that in endpoint is actually present to prevent this warning.
Found pipes are now saved to struct mcba_priv and code uses them directly instead of making pipes in place.
Fail log:
| usb 5-1: BOGUS urb xfer, pipe 3 != type 1 | WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 | Modules linked in: | CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0 | Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 | Workqueue: usb_hub_wq hub_event | RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 | ... | Call Trace: | | mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline]
| mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858 | usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 | call_driver_probe drivers/base/dd.c:517 [inline]
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/16/2025
The vulnerability CVE-2022-49151 affects the Linux kernel's CAN (Controller Area Network) subsystem, specifically within the mcba_usb driver implementation. This issue manifests as a critical endpoint type mismatch that occurs during USB communication with CAN devices. The problem stems from improper validation of USB endpoint types during device initialization, leading to kernel warnings and potential system instability. The vulnerability was identified through automated testing using syzbot, which detected inconsistent behavior in the usb_submit_urb() function where the expected endpoint type did not match the actual endpoint configuration.
The technical flaw resides in the mcba_usb driver's handling of USB pipe configuration during device probe operations. When the driver attempts to initialize USB endpoints for CAN communication, it fails to properly validate endpoint types before submitting USB requests. The error message "BOGUS urb xfer, pipe 3 != type 1" indicates that the driver is attempting to submit a USB request with endpoint type 3 while the system expects type 1, creating a fundamental mismatch in the USB transfer configuration. This misconfiguration occurs because the driver does not properly store or reference previously discovered USB endpoint configurations, instead attempting to recreate pipe information on-the-fly during critical operations.
The operational impact of this vulnerability extends beyond simple kernel warnings to potentially disrupt CAN communication on affected systems. When the endpoint type validation fails, the kernel generates critical warnings that can indicate deeper system instability, particularly in embedded systems or automotive applications where CAN communication is essential. The vulnerability affects systems using the mcba_usb driver for USB-based CAN interface devices, which are commonly found in automotive diagnostics, industrial automation, and embedded systems. The warning originates from the usb_submit_urb function in the USB core subsystem, indicating that the kernel's USB framework detects an invalid endpoint configuration that could lead to data corruption, communication failures, or system crashes.
This vulnerability maps directly to CWE-1225, which covers improper validation of endpoint types in USB communication, and aligns with ATT&CK technique T1059.006 for kernel-level command execution through system calls. The issue also relates to CWE-691, which addresses insufficient control flow management in USB device drivers, and represents a failure in proper resource management during device initialization. The fix implemented addresses the root cause by modifying the mcba_usb driver to properly store discovered USB endpoint configurations in the mcba_priv structure rather than attempting to recreate them during critical operations. This approach ensures that endpoint types are validated and maintained consistently throughout the device lifecycle, preventing the kernel from receiving malformed USB requests that would otherwise trigger the usb_submit_urb warning.
Mitigation strategies should focus on updating to kernel versions that include the patched mcba_usb driver implementation, which properly validates endpoint types before USB request submission. System administrators should prioritize patching embedded systems and automotive applications where CAN communication is critical, as these environments may be more vulnerable to the cascading effects of USB endpoint misconfigurations. The patch demonstrates proper defensive programming practices by ensuring that USB endpoint information is cached and reused rather than recalculated, which aligns with secure coding guidelines for USB device drivers. Additionally, organizations should implement monitoring for kernel warnings related to USB endpoint validation to detect potential exploitation attempts or system instability in environments where CAN communication is essential for operational continuity.