CVE-2022-49287
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's TPM (Trusted Platform Module) subsystem. It allows local attackers to potentially crash the system or execute arbitrary code by exploiting improper reference counting when TPM modules are removed while devices are still open. Systems using TPM hardware with affected kernel versions are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to kernel-level code execution, potentially leading to complete system compromise.
Likely Case
Kernel panic or system crash causing denial of service.
If Mitigated
No impact if proper access controls prevent local users from accessing TPM devices or loading/unloading kernel modules.
🎯 Exploit Status
Exploitation requires local access and ability to load/unload kernel modules. The vulnerability is in the TPM subsystem reference counting logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 290e05f346d1829e849662c97e42d5ad984f5258 and related fixes
Vendor Advisory: https://git.kernel.org/stable/c/290e05f346d1829e849662c97e42d5ad984f5258
Restart Required: No
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. For custom kernels, apply commits 290e05f346d1829e849662c97e42d5ad984f5258 and 2f928c0d5c02dbab49e8c19d98725c822f6fc409. 3. Rebuild and install the kernel.
🔧 Temporary Workarounds
Restrict TPM device access
allLimit access to /dev/tpm* devices to prevent exploitation
chmod 600 /dev/tpm*
chown root:root /dev/tpm*
Disable TPM module autoloading
allPrevent automatic loading of TPM modules
echo 'blacklist tpm_tis_spi' >> /etc/modprobe.d/blacklist.conf
echo 'blacklist tpm_tis_core' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Restrict local user access to systems with TPM hardware
- Implement strict module loading policies using capabilities or SELinux/AppArmor
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if TPM modules are loaded: uname -r && lsmod | grep tpmCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test by attempting to reproduce the sequence: open /dev/tpmrm, remove tpm_tis_spi module, write to file descriptor📡 Detection & Monitoring
Log Indicators:
- Kernel warnings about refcount_t: addition on 0; use-after-free
- System crashes or kernel panics related to TPM operations
- Failed attempts to load/unload TPM modules
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("refcount_t" OR "use-after-free" OR "tpm")🔗 References
- https://git.kernel.org/stable/c/290e05f346d1829e849662c97e42d5ad984f5258
- https://git.kernel.org/stable/c/2f928c0d5c02dbab49e8c19d98725c822f6fc409
- https://git.kernel.org/stable/c/473a66f99cb8173c14138c5a5c69bfad04e8f9ac
- https://git.kernel.org/stable/c/662893b4f6bd466ff9e1cd454c44c26d32d554fe
- https://git.kernel.org/stable/c/6e7baf84149fb43950631415de231b3a41915aa3
- https://git.kernel.org/stable/c/7e0438f83dc769465ee663bb5dcf8cc154940712
- https://git.kernel.org/stable/c/a27ed2f3695baf15f9b34d2d7a1f9fc105539a81
- https://git.kernel.org/stable/c/cb64bd038beacb4331fe464a36c8b5481e8f51e2
