CVE-2022-49286 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
tpm: use try_get_ops() in tpm-space.c
As part of the series conversion to remove nested TPM operations:
https://lore.kernel.org/all/[email protected]/
exposure of the chip->tpm_mutex was removed from much of the upper level code. In this conversion, tpm2_del_space() was missed. This didn't matter much because it's usually called closely after a converted operation, so there's only a very tiny race window where the chip can be removed before the space flushing is done which causes a NULL deref on the mutex. However, there are reports of this window being hit in practice, so fix this by converting tpm2_del_space() to use tpm_try_get_ops(), which performs all the teardown checks before acquring the mutex.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability described in CVE-2022-49286 represents a critical race condition within the Linux kernel's Trusted Platform Module (TPM) subsystem, specifically affecting the tpm-space.c component. This issue emerged during a broader effort to modernize TPM operations by eliminating nested TPM operations and removing direct exposure of the chip->tpm_mutex from upper-level code. The vulnerability stems from an incomplete conversion process where the tpm2_del_space() function was overlooked during the transition to the new TPM operation framework. The technical flaw manifests as a potential NULL pointer dereference that occurs when the TPM chip is removed while the space flushing operation is in progress, creating a narrow but exploitable race window.
The operational impact of this vulnerability extends beyond simple system stability concerns into potential security implications for systems relying on TPM for hardware-based security functions. When the race condition occurs, the system experiences a kernel NULL pointer dereference, which typically results in a system crash or panic. This represents a denial of service vulnerability that could be exploited by malicious actors to disrupt critical security infrastructure. The vulnerability's severity is heightened by the fact that TPM operations are fundamental to many security protocols including secure boot processes, cryptographic key storage, and hardware-based authentication mechanisms. According to CWE classification, this vulnerability maps to CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization, and aligns with ATT&CK technique T1499.001: Endpoint Denial of Service - Resource Exhaustion or Consuming Services to disrupt system availability.
The fix implemented addresses this vulnerability by converting tpm2_del_space() to utilize tpm_try_get_ops() instead of the previous approach. This change ensures that all teardown checks are performed before acquiring the mutex, effectively eliminating the race condition window where the chip could be removed before space flushing completes. The solution follows the established pattern of the broader TPM operation conversion series that began in 2019, as referenced in the kernel development discussions. This approach provides proper reference counting and validation of the TPM chip's operational state before proceeding with any mutex acquisition, thereby preventing the NULL pointer dereference that could occur during the brief period when the chip structure might be freed while operations are still pending. The fix ensures that the TPM subsystem maintains proper synchronization and resource management during chip removal operations, which is critical for maintaining the integrity of hardware security features and preventing potential exploitation scenarios that could compromise system security.