Use-After-Free in USB Ethernet Drivers in Linux Kernel
CVE-2022-50220

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 18 June 2025

What is CVE-2022-50220?

In the Linux kernel, a use-after-free vulnerability affects USB Ethernet drivers due to improper handling of device disconnection events. When a link change interrupt occurs just before a device is disconnected, it may trigger a sequence leading to operations on an already unregistered network device. Specifically, as usbnet_deferred_kevent() is awaited post-unregistration, subsequent operations such as netif_carrier_on/off can be executed on freed memory, resulting in potential system instability and security risks. This vulnerability highlights the importance of careful resource management in driver development.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 7f77dcbc030c2faa6d8e8a594985eeb34018409e

References

https://git.kernel.org/stable/c/d2d6b530d89b0a91214801802...

https://git.kernel.org/stable/c/e2a521a7dcc463c5017b4426c...

https://git.kernel.org/stable/c/7f77dcbc030c2faa6d8e8a594...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2025
Vulnerability Reserved
Jun 18, 2025