CVE-2022-49686 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: uvc: fix list double add in uvcg_video_pump
A panic can occur if the endpoint becomes disabled and the uvcg_video_pump adds the request back to the req_free list after it has already been queued to the endpoint. The endpoint complete will add the request back to the req_free list. Invalidate the local request handle once it's been queued.
[ 246.796704][T13726] configfs-gadget gadget: uvc: uvc_function_set_alt(1, 0)
[ 246.797078][ T26] list_add double add: new=ffffff878bee5c40, prev=ffffff878bee5c40, next=ffffff878b0f0a90.
[ 246.797213][ T26] ------------[ cut here ]------------
[ 246.797224][ T26] kernel BUG at lib/list_debug.c:31!
[ 246.807073][ T26] Call trace:
[ 246.807180][ T26] uvcg_video_pump+0x364/0x38c
[ 246.807366][ T26] process_one_work+0x2a4/0x544
[ 246.807394][ T26] worker_thread+0x350/0x784
[ 246.807442][ T26] kthread+0x2ac/0x320
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/24/2025
This vulnerability exists within the Linux kernel's USB gadget framework specifically in the USB Video Class (UVC) implementation where a double list addition occurs in the uvcg_video_pump function. The issue arises when a USB endpoint becomes disabled during video streaming operations, creating a race condition between the endpoint completion handler and the video pump function. When the endpoint is disabled, the uvcg_video_pump function attempts to requeue a request back to the req_free list after it has already been queued to the endpoint, causing a critical list corruption that results in kernel panic.
The technical flaw stems from improper handling of request lifecycle management within the UVC gadget driver. When a USB endpoint is disabled, the completion handler processes the request and adds it back to the free request list. However, the uvcg_video_pump function continues to operate on the same request handle and attempts to add it to the free list again, leading to a duplicate entry in the linked list structure. This violates the fundamental assumptions of list integrity that the kernel's list management subsystem enforces, specifically triggering the list_debug.c validation mechanism at line 31 which detects the malformed list structure.
The operational impact of this vulnerability is severe as it can cause complete system crashes through kernel panic conditions, effectively rendering the device unusable during USB video streaming operations. The vulnerability is particularly dangerous in embedded systems or devices that rely on USB gadget functionality for video capture or streaming, such as security cameras, video conferencing equipment, or industrial imaging devices. The panic occurs during the uvc_function_set_alt function call which is responsible for setting alternate settings for USB video interfaces, making it a critical point of failure in video streaming workflows.
This vulnerability maps directly to CWE-126: Buffer Under-read and CWE-129: Improper Validation of Array Index, as it involves improper handling of list structures and memory management. From an ATT&CK perspective, this represents a privilege escalation vector through kernel exploitation, potentially allowing attackers to cause denial of service or system instability. The fix implemented by invalidating the local request handle after queuing ensures that subsequent attempts to manipulate the same request structure are prevented, breaking the race condition that leads to the double list addition.
Mitigation strategies should focus on ensuring proper request lifecycle management in kernel USB gadget drivers, particularly in UVC implementations. System administrators should apply the kernel patch that prevents the double addition by invalidating the request handle after it has been successfully queued to the endpoint. Organizations running embedded systems or devices with USB gadget functionality should conduct thorough testing of USB video streaming operations to identify potential triggers for this vulnerability. The fix demonstrates the importance of proper synchronization and state management in kernel-level USB drivers, particularly when dealing with asynchronous endpoint completion handlers and request queuing mechanisms.