CVE-2022-49842 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
ASoC: core: Fix use-after-free in snd_soc_exit()
KASAN reports a use-after-free:
BUG: KASAN: use-after-free in device_del+0xb5b/0xc60 Read of size 8 at addr ffff888008655050 by task rmmod/387 CPU: 2 PID: 387 Comm: rmmod Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace:
dump_stack_lvl+0x79/0x9a print_report+0x17f/0x47b kasan_report+0xbb/0xf0 device_del+0xb5b/0xc60 platform_device_del.part.0+0x24/0x200 platform_device_unregister+0x2e/0x40 snd_soc_exit+0xa/0x22 [snd_soc_core]
__do_sys_delete_module.constprop.0+0x34f/0x5b0 do_syscall_64+0x3a/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd ...
It's bacause in snd_soc_init(), snd_soc_util_init() is possble to fail, but its ret is ignored, which makes soc_dummy_dev unregistered twice.
snd_soc_init() snd_soc_util_init() platform_device_register_simple(soc_dummy_dev) platform_driver_register() # fail platform_device_unregister(soc_dummy_dev) platform_driver_register() # success ... snd_soc_exit() snd_soc_util_exit() # soc_dummy_dev will be unregistered for second time
To fix it, handle error and stop snd_soc_init() when util_init() fail. Also clean debugfs when util_init() or driver_register() fail.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability described in CVE-2022-49842 represents a critical use-after-free condition within the Linux kernel's sound subsystem, specifically affecting the Advanced SoC (ASoC) core module. This flaw manifests during module removal operations when the kernel's memory management system detects access to freed memory locations. The issue arises from improper error handling in the initialization sequence of the sound subsystem, creating a scenario where platform devices are registered and subsequently unregistered multiple times. The kernel's KASAN (Kernel Address Sanitizer) framework identifies this problem by reporting a use-after-free error occurring in the device_del function, where a read operation of size 8 attempts to access memory address 0xffff888008655050 from the rmmod process. The call trace demonstrates the execution path leading to this condition through the platform device management functions and ultimately to the snd_soc_exit function.
The technical root cause stems from a flawed initialization sequence in the snd_soc_init function where the return value of snd_soc_util_init is ignored despite potential failures. When snd_soc_util_init encounters an error during platform device registration, it attempts to unregister the soc_dummy_dev device but fails to properly handle this error condition. This oversight results in the platform device being unregistered twice during the module lifecycle - once during the failed initialization attempt and again during the normal exit sequence. The double unregistration creates a dangling pointer situation where the kernel attempts to access memory that has already been freed, leading to undefined behavior and potential system instability. This pattern of error handling failure directly correlates to CWE-415, which describes double free conditions in memory management, and CWE-416, which addresses use-after-free vulnerabilities in software systems.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling privilege escalation and denial of service conditions within kernel space. When the rmmod command attempts to remove the sound subsystem module, the kernel's memory management subsystem triggers the use-after-free error, which can result in system panics or unpredictable behavior. The vulnerability affects systems running Linux kernels with the ASoC sound subsystem enabled, particularly those utilizing platform device management for audio hardware integration. Attackers could potentially exploit this condition to cause system instability or, in more sophisticated scenarios, leverage the memory corruption to execute arbitrary code with kernel privileges. The flaw exists in the module lifecycle management and demonstrates a critical gap in error handling protocols within the kernel's sound subsystem architecture.
Mitigation strategies for this vulnerability require immediate patch application from kernel vendors, as the fix involves correcting the error handling logic in the snd_soc_init function to properly abort initialization when snd_soc_util_init fails. The recommended approach includes implementing proper error checking and early termination in the initialization sequence, ensuring that platform devices are not registered multiple times. Additionally, developers should implement comprehensive cleanup routines in debugfs management that properly handle failure conditions during both the initialization and registration phases. System administrators should prioritize kernel updates to versions containing the specific fix for CVE-2022-49842, which addresses the double unregistration issue by ensuring that snd_soc_init terminates early when util_init fails. The fix also includes cleaning debugfs resources when registration failures occur, preventing resource leaks and maintaining system stability. This vulnerability aligns with ATT&CK technique T1068, which covers 'Exploitation for Privilege Escalation', as the use-after-free condition could potentially be leveraged to gain elevated privileges within the kernel space environment.