CVE-2022-49202 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: add missing NULL check in h5_enqueue
Syzbot hit general protection fault in __pm_runtime_resume(). The problem was in missing NULL check.
hu->serdev can be NULL and we should not blindly pass &serdev->dev somewhere, since it will cause GPF.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability CVE-2022-49202 represents a critical null pointer dereference issue within the Linux kernel's Bluetooth subsystem, specifically affecting the hci_uart driver component. This flaw exists in the h5_enqueue function where a missing NULL check for the hu->serdev pointer leads to a general protection fault during runtime. The issue was identified through automated fuzzing by syzbot, which detected a kernel panic when attempting to access a null device structure pointer. The root cause occurs when the system attempts to pass the address of &serdev->dev to a function without first verifying that hu->serdev is not NULL, creating a direct path to kernel memory corruption and system instability.
This vulnerability falls under CWE-476, Null Pointer Dereference, which is classified as a fundamental programming error that can lead to system crashes, privilege escalation, or arbitrary code execution in kernel space. The flaw demonstrates poor defensive programming practices where the kernel code fails to validate pointer integrity before dereferencing, creating an exploitable condition that can be triggered by malicious Bluetooth device connections or malformed data packets. The specific context involves the hci_uart driver's handling of Bluetooth serial device communication, where the h5 protocol layer processes data packets between the Bluetooth controller and the host system.
The operational impact of CVE-2022-49202 extends beyond simple system crashes to potentially enable privilege escalation attacks within the kernel space. When the NULL pointer dereference occurs in __pm_runtime_resume(), the kernel's power management subsystem becomes compromised, leading to a complete system hang or reboot. This vulnerability affects systems running Linux kernel versions where the hci_uart driver is active, particularly those supporting Bluetooth Low Energy and classic Bluetooth protocols. The attack surface includes any device with Bluetooth capabilities that utilize the h5 protocol, making it relevant to smartphones, laptops, IoT devices, and embedded systems running affected kernel versions.
Mitigation strategies for CVE-2022-49202 involve applying the official kernel patch that introduces proper NULL pointer validation before accessing the serdev device structure. System administrators should prioritize updating to kernel versions containing the fix, typically kernel 5.19 or later, where the vulnerability has been addressed through the addition of a conditional check that verifies hu->serdev is not NULL before proceeding with device operations. The patch implements defensive programming practices that align with the ATT&CK framework's defense evasion techniques, specifically targeting the persistence and privilege escalation categories. Organizations should also consider implementing runtime monitoring solutions to detect anomalous Bluetooth device behavior and maintain regular kernel update schedules to protect against similar vulnerabilities in the broader Linux kernel ecosystem.