CVE-2022-49082
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's mpt3sas SCSI driver. When removing an expander node, the driver frees memory but then attempts to access it again, potentially causing kernel crashes or privilege escalation. Systems running affected Linux kernel versions with mpt3sas driver loaded are vulnerable.
💻 Affected Systems
- Linux kernel with mpt3sas driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, or potential privilege escalation to kernel mode if memory corruption can be controlled.
Likely Case
System crash or kernel panic when removing SCSI expander nodes, typically during driver unload or hardware removal.
If Mitigated
System remains stable with no impact if the vulnerable code path isn't triggered.
🎯 Exploit Status
Requires local access and ability to trigger driver operations (e.g., via rmmod). No known public exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 17d66b1c92bcb41e72271ec60069d3684aaa1c9c or later
Vendor Advisory: https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Unload mpt3sas driver
LinuxRemove the vulnerable driver module if not needed
sudo rmmod mpt3sas
Blacklist driver
LinuxPrevent mpt3sas driver from loading automatically
echo 'blacklist mpt3sas' | sudo tee /etc/modprobe.d/blacklist-mpt3sas.conf
🧯 If You Can't Patch
- Restrict local access to prevent unauthorized users from triggering driver operations
- Monitor for kernel crashes or suspicious driver unload operations
🔍 How to Verify
Check if Vulnerable:
Check if mpt3sas module is loaded: lsmod | grep mpt3sas. If loaded and kernel version is vulnerable, system is at risk.Check Version:
uname -rVerify Fix Applied:
Check kernel version after update and verify mpt3sas module loads without issues during expander removal operations.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- KASAN use-after-free reports in dmesg
- Driver removal errors
Network Indicators:
- None - local vulnerability only
SIEM Query:
Search for: 'KASAN: use-after-free', 'mpt3sas', 'scsih_expander_node_remove' in kernel logs