CVE-2022-48926 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: add spinlock for rndis response list There's no lock for rndis response list. It could cause list corruption if there're two different list_add at the same time like below. It's better to add in rndis_add_response / rndis_free_response / rndis_get_next_response to prevent any race condition on response list. [ 361.894299] [1: irq/191-dwc3:16979] list_add corruption. next->prev should be prev (ffffff80651764d0), but was ffffff883dc36f80. (next=ffffff80651764d0). [ 361.904380] [1: irq/191-dwc3:16979] Call trace: [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90 [ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0 [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84 [ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4 [ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60 [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0 [ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec [ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

References

Link	Providers
https://git.kernel.org/stable/c/33222d1571d7ce8c1c75f6b488f38968fa93d2d9
https://git.kernel.org/stable/c/4ce247af3f30078d5b97554f1ae6200a0222c15a
https://git.kernel.org/stable/c/669c2b178956718407af5631ccbc61c24413f038
https://git.kernel.org/stable/c/9ab652d41deab49848673c3dadb57ad338485376
https://git.kernel.org/stable/c/9f5d8ba538ef81cd86ea587ca3f8c77e26bea405
https://git.kernel.org/stable/c/9f688aadede6b862a0a898792b1a35421c93636f
https://git.kernel.org/stable/c/aaaba1c86d04dac8e49bf508b492f81506257da3
https://git.kernel.org/stable/c/da514063440b53a27309a4528b726f92c3cfe56f
https://lore.kernel.org/linux-cve-announce/2024082220-CVE-2022-48926-e8ce@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-48926
https://www.cve.org/CVERecord?id=CVE-2022-48926

History

Thu, 26 Sep 2024 10:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-414

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 23 Aug 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 22 Aug 2024 22:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2024082220-CVE-2022-48926-e8ce@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2022-48926 https://www.cve.org/CVERecord?id=CVE-2022-48926
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Thu, 22 Aug 2024 03:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: add spinlock for rndis response list There's no lock for rndis response list. It could cause list corruption if there're two different list_add at the same time like below. It's better to add in rndis_add_response / rndis_free_response / rndis_get_next_response to prevent any race condition on response list. [ 361.894299] [1: irq/191-dwc3:16979] list_add corruption. next->prev should be prev (ffffff80651764d0), but was ffffff883dc36f80. (next=ffffff80651764d0). [ 361.904380] [1: irq/191-dwc3:16979] Call trace: [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90 [ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0 [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84 [ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4 [ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60 [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0 [ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec [ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c
Title		usb: gadget: rndis: add spinlock for rndis response list
References		https://git.kernel.org/stable/c/33222d1571d7ce8c1c75f6b488f38968fa93d2d9 https://git.kernel.org/stable/c/4ce247af3f30078d5b97554f1ae6200a0222c15a https://git.kernel.org/stable/c/669c2b178956718407af5631ccbc61c24413f038 https://git.kernel.org/stable/c/9ab652d41deab49848673c3dadb57ad338485376 https://git.kernel.org/stable/c/9f5d8ba538ef81cd86ea587ca3f8c77e26bea405 https://git.kernel.org/stable/c/9f688aadede6b862a0a898792b1a35421c93636f https://git.kernel.org/stable/c/aaaba1c86d04dac8e49bf508b492f81506257da3 https://git.kernel.org/stable/c/da514063440b53a27309a4528b726f92c3cfe56f

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-08-22T03:31:18.572Z

Updated: 2025-05-04T08:26:14.492Z

Reserved: 2024-08-21T06:06:23.297Z

Link: CVE-2022-48926

Vulnrichment

Updated: 2024-09-11T12:42:15.624Z

NVD

Status : Analyzed

Published: 2024-08-22T04:15:15.363

Modified: 2024-08-23T02:05:14.960

Link: CVE-2022-48926

Redhat

Severity : Moderate

Publid Date: 2024-08-22T00:00:00Z

Links: CVE-2022-48926 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48926", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-08-21T06:06:23.297Z", "datePublished": "2024-08-22T03:31:18.572Z", "dateUpdated": "2025-05-04T08:26:14.492Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:26:14.492Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: add spinlock for rndis response list\n\nThere's no lock for rndis response list. It could cause list corruption\nif there're two different list_add at the same time like below.\nIt's better to add in rndis_add_response / rndis_free_response\n/ rndis_get_next_response to prevent any race condition on response list.\n\n[ 361.894299] [1: irq/191-dwc3:16979] list_add corruption.\nnext->prev should be prev (ffffff80651764d0),\nbut was ffffff883dc36f80. (next=ffffff80651764d0).\n\n[ 361.904380] [1: irq/191-dwc3:16979] Call trace:\n[ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90\n[ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0\n[ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84\n[ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4\n[ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60\n[ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0\n[ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc\n[ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc\n[ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec\n[ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/rndis.c", "drivers/usb/gadget/function/rndis.h"], "versions": [{"version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "9f5d8ba538ef81cd86ea587ca3f8c77e26bea405", "status": "affected", "versionType": "git"}, {"version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "669c2b178956718407af5631ccbc61c24413f038", "status": "affected", "versionType": "git"}, {"version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "9f688aadede6b862a0a898792b1a35421c93636f", "status": "affected", "versionType": "git"}, {"version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "9ab652d41deab49848673c3dadb57ad338485376", "status": "affected", "versionType": "git"}, {"version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "4ce247af3f30078d5b97554f1ae6200a0222c15a", "status": "affected", "versionType": "git"}, {"version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "da514063440b53a27309a4528b726f92c3cfe56f", "status": "affected", "versionType": "git"}, {"version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "33222d1571d7ce8c1c75f6b488f38968fa93d2d9", "status": "affected", "versionType": "git"}, {"version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "aaaba1c86d04dac8e49bf508b492f81506257da3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/rndis.c", "drivers/usb/gadget/function/rndis.h"], "versions": [{"version": "4.6", "status": "affected"}, {"version": "0", "lessThan": "4.6", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.304", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.269", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.232", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.182", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.103", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.26", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.12", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "4.9.304"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "4.14.269"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "4.19.232"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.4.182"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.10.103"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.15.26"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.16.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9f5d8ba538ef81cd86ea587ca3f8c77e26bea405"}, {"url": "https://git.kernel.org/stable/c/669c2b178956718407af5631ccbc61c24413f038"}, {"url": "https://git.kernel.org/stable/c/9f688aadede6b862a0a898792b1a35421c93636f"}, {"url": "https://git.kernel.org/stable/c/9ab652d41deab49848673c3dadb57ad338485376"}, {"url": "https://git.kernel.org/stable/c/4ce247af3f30078d5b97554f1ae6200a0222c15a"}, {"url": "https://git.kernel.org/stable/c/da514063440b53a27309a4528b726f92c3cfe56f"}, {"url": "https://git.kernel.org/stable/c/33222d1571d7ce8c1c75f6b488f38968fa93d2d9"}, {"url": "https://git.kernel.org/stable/c/aaaba1c86d04dac8e49bf508b492f81506257da3"}], "title": "usb: gadget: rndis: add spinlock for rndis response list", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48926", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:33:05.816809Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:33:10.483Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48926", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:33:05.816809Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:15.624Z"}}], "cna": {"title": "usb: gadget: rndis: add spinlock for rndis response list", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "9f5d8ba538ef81cd86ea587ca3f8c77e26bea405", "versionType": "git"}, {"status": "affected", "version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "669c2b178956718407af5631ccbc61c24413f038", "versionType": "git"}, {"status": "affected", "version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "9f688aadede6b862a0a898792b1a35421c93636f", "versionType": "git"}, {"status": "affected", "version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "9ab652d41deab49848673c3dadb57ad338485376", "versionType": "git"}, {"status": "affected", "version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "4ce247af3f30078d5b97554f1ae6200a0222c15a", "versionType": "git"}, {"status": "affected", "version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "da514063440b53a27309a4528b726f92c3cfe56f", "versionType": "git"}, {"status": "affected", "version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "33222d1571d7ce8c1c75f6b488f38968fa93d2d9", "versionType": "git"}, {"status": "affected", "version": "f6281af9d62e128aa6efad29cf7265062af114f2", "lessThan": "aaaba1c86d04dac8e49bf508b492f81506257da3", "versionType": "git"}], "programFiles": ["drivers/usb/gadget/function/rndis.c", "drivers/usb/gadget/function/rndis.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.6"}, {"status": "unaffected", "version": "0", "lessThan": "4.6", "versionType": "semver"}, {"status": "unaffected", "version": "4.9.304", "versionType": "semver", "lessThanOrEqual": "4.9.*"}, {"status": "unaffected", "version": "4.14.269", "versionType": "semver", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.232", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.182", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.103", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.26", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16.12", "versionType": "semver", "lessThanOrEqual": "5.16.*"}, {"status": "unaffected", "version": "5.17", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/usb/gadget/function/rndis.c", "drivers/usb/gadget/function/rndis.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/9f5d8ba538ef81cd86ea587ca3f8c77e26bea405"}, {"url": "https://git.kernel.org/stable/c/669c2b178956718407af5631ccbc61c24413f038"}, {"url": "https://git.kernel.org/stable/c/9f688aadede6b862a0a898792b1a35421c93636f"}, {"url": "https://git.kernel.org/stable/c/9ab652d41deab49848673c3dadb57ad338485376"}, {"url": "https://git.kernel.org/stable/c/4ce247af3f30078d5b97554f1ae6200a0222c15a"}, {"url": "https://git.kernel.org/stable/c/da514063440b53a27309a4528b726f92c3cfe56f"}, {"url": "https://git.kernel.org/stable/c/33222d1571d7ce8c1c75f6b488f38968fa93d2d9"}, {"url": "https://git.kernel.org/stable/c/aaaba1c86d04dac8e49bf508b492f81506257da3"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: add spinlock for rndis response list\n\nThere's no lock for rndis response list. It could cause list corruption\nif there're two different list_add at the same time like below.\nIt's better to add in rndis_add_response / rndis_free_response\n/ rndis_get_next_response to prevent any race condition on response list.\n\n[ 361.894299] [1: irq/191-dwc3:16979] list_add corruption.\nnext->prev should be prev (ffffff80651764d0),\nbut was ffffff883dc36f80. (next=ffffff80651764d0).\n\n[ 361.904380] [1: irq/191-dwc3:16979] Call trace:\n[ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90\n[ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0\n[ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84\n[ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4\n[ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60\n[ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0\n[ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc\n[ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc\n[ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec\n[ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.9.304", "versionStartIncluding": "4.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.14.269", "versionStartIncluding": "4.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.232", "versionStartIncluding": "4.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.182", "versionStartIncluding": "4.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.103", "versionStartIncluding": "4.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.26", "versionStartIncluding": "4.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.16.12", "versionStartIncluding": "4.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.17", "versionStartIncluding": "4.6"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:26:14.492Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48926", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:26:14.492Z", "dateReserved": "2024-08-21T06:06:23.297Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-22T03:31:18.572Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA1E6BF0-F833-4FBE-8171-CC3C308EB3A0", "versionEndExcluding": "4.9.304", "versionStartIncluding": "4.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0F577D3-EFEA-42CF-80AA-905297529D7F", "versionEndExcluding": "4.14.269", "versionStartIncluding": "4.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF11C6DC-8B9A-4A37-B1E6-33B68F5366ED", "versionEndExcluding": "4.19.232", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE74CED8-43BF-4060-9578-93A09735B4E2", "versionEndExcluding": "5.4.182", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A95B717-3110-4D4F-B8FC-373919BB514D", "versionEndExcluding": "5.10.103", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AB342AE-A62E-4947-A6EA-511453062B2B", "versionEndExcluding": "5.15.26", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C76BAB21-7F23-4AD8-A25F-CA7B262A2698", "versionEndExcluding": "5.16.12", "versionStartIncluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: add spinlock for rndis response list\n\nThere's no lock for rndis response list. It could cause list corruption\nif there're two different list_add at the same time like below.\nIt's better to add in rndis_add_response / rndis_free_response\n/ rndis_get_next_response to prevent any race condition on response list.\n\n[ 361.894299] [1: irq/191-dwc3:16979] list_add corruption.\nnext->prev should be prev (ffffff80651764d0),\nbut was ffffff883dc36f80. (next=ffffff80651764d0).\n\n[ 361.904380] [1: irq/191-dwc3:16979] Call trace:\n[ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90\n[ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0\n[ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84\n[ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4\n[ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60\n[ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0\n[ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc\n[ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc\n[ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec\n[ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: usb: gadget: rndis: agregar spinlock para la lista de respuestas de rndis No hay bloqueo para la lista de respuestas de rndis. Podr\u00eda causar corrupci\u00f3n en la lista si hay dos list_add diferentes al mismo tiempo, como se muestra a continuaci\u00f3n. Es mejor agregar rndis_add_response / rndis_free_response / rndis_get_next_response para evitar cualquier condici\u00f3n de ejecuci\u00f3n en la lista de respuestas. [ 361.894299] [1: irq/191-dwc3:16979] list_add corrupci\u00f3n. siguiente->anterior deber\u00eda ser anterior (ffffff80651764d0), pero era ffffff883dc36f80. (siguiente=ffffff80651764d0). [ 361.904380] [1: irq/191-dwc3:16979] Rastreo de llamadas: [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90 [ 361.904401] [1: irq/191-dwc3:16979 ] rndis_msg_parser+0x168/0x8c0 [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84 [ 361.904417] [1: irq/191-dwc3:16979] misi\u00f3n+0x20/0xe4 [ 361.904426] [1: irq /191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60 [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0 [ 361.904442] [1: 16979] dwc3_ep0_interrupt+0x29c/0x3dc [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec [ 361.904465 ] [1: irq/191-dwc3: 16979] dwc3_thread_interrupt+0x34/0x5c"}], "id": "CVE-2022-48926", "lastModified": "2024-08-23T02:05:14.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-22T04:15:15.363", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/33222d1571d7ce8c1c75f6b488f38968fa93d2d9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4ce247af3f30078d5b97554f1ae6200a0222c15a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/669c2b178956718407af5631ccbc61c24413f038"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9ab652d41deab49848673c3dadb57ad338485376"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9f5d8ba538ef81cd86ea587ca3f8c77e26bea405"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9f688aadede6b862a0a898792b1a35421c93636f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aaaba1c86d04dac8e49bf508b492f81506257da3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/da514063440b53a27309a4528b726f92c3cfe56f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: usb: gadget: rndis: add spinlock for rndis response list", "id": "2307182", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2307182"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-414", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusb: gadget: rndis: add spinlock for rndis response list\nThere's no lock for rndis response list. It could cause list corruption\nif there're two different list_add at the same time like below.\nIt's better to add in rndis_add_response / rndis_free_response\n/ rndis_get_next_response to prevent any race condition on response list.\n[ 361.894299] [1: irq/191-dwc3:16979] list_add corruption.\nnext->prev should be prev (ffffff80651764d0),\nbut was ffffff883dc36f80. (next=ffffff80651764d0).\n[ 361.904380] [1: irq/191-dwc3:16979] Call trace:\n[ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90\n[ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0\n[ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84\n[ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4\n[ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60\n[ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0\n[ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc\n[ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc\n[ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec\n[ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c", "A vulnerability found in the Linux kernel\u2019s USB gadget in the RNDIS subsystem was resolved by adding a spinlock to protect the RNDIS response list. The lack of synchronization previously allowed concurrent `list_add` operations, leading to list corruption and potential crashes."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48926", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48926\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48926\nhttps://lore.kernel.org/linux-cve-announce/2024082220-CVE-2022-48926-e8ce@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object