CVE-2022-50087 in Linuxinfo

Summary

by MITRE • 06/18/2025

In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails

When scpi probe fails, at any point, we need to ensure that the scpi_info is not set and will remain NULL until the probe succeeds. If it is not taken care, then it could result use-after-free as the value is exported via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc() but freed when the probe fails.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 11/30/2025

The vulnerability identified as CVE-2022-50087 resides within the Linux kernel's firmware subsystem, specifically affecting the arm_scpi driver implementation. This issue represents a critical memory management flaw that can lead to system instability and potential security implications. The vulnerability manifests in the handling of device probe operations within the SCPI (System Control and Power Interface) firmware communication framework used primarily on arm64 architectures. When the probe function fails during device initialization, the system fails to properly manage the scpi_info structure pointer, creating a dangerous state where stale references may persist in memory.

The technical root cause of this vulnerability stems from improper null pointer management during device probe failure scenarios. The arm_scpi driver implements a probe function that attempts to initialize communication with system control processors through the SCPI interface. When this probe operation encounters an error condition, the driver should ensure that the scpi_info pointer remains set to NULL to prevent any invalid memory references. However, the implementation fails to properly handle this cleanup step, allowing the scpi_info pointer to retain a reference to memory that may have already been freed through the devm_kzalloc() allocation mechanism. This memory management inconsistency creates a classic use-after-free vulnerability where subsequent access to the scpi_info structure could result in accessing deallocated memory regions.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to exploit the use-after-free condition for privilege escalation or system compromise. According to CWE-416, this vulnerability maps directly to the use-after-free weakness category, where memory is accessed after it has been freed. The ATT&CK framework categorizes this under T1068, which involves exploiting vulnerabilities to gain elevated privileges, as the memory corruption could potentially be leveraged to execute arbitrary code. When the get_scpi_ops() function is called to retrieve the SCPI operations structure, it may return a pointer to freed memory, creating opportunities for attackers to manipulate the system's firmware communication interface. This particularly affects systems running on arm64 architectures that utilize SCPI for system control and power management operations.

The mitigation strategy for CVE-2022-50087 requires implementing proper null pointer assignment in the probe failure path of the arm_scpi driver. System administrators should ensure that all kernel updates containing the fix are applied immediately, as this vulnerability exists in the core firmware subsystem and affects the fundamental operation of device initialization. The fix involves ensuring that when probe operations fail, the scpi_info pointer is explicitly set to NULL before returning from the probe function. This prevents the exported get_scpi_ops() function from returning references to deallocated memory structures. Additionally, system monitoring should be implemented to detect unusual memory access patterns that might indicate exploitation attempts. Organizations should also maintain updated security patches and consider implementing kernel lockdown mechanisms to limit potential exploitation vectors. The vulnerability demonstrates the critical importance of proper resource management in kernel space, where memory allocation and deallocation must be carefully coordinated to prevent security-relevant memory corruption scenarios that could be exploited to compromise system integrity and security controls.

Responsible

Linux

Reservation

06/18/2025

Disclosure

06/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00161

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!