Login Sign Up

CVE-2022-49306

5.5 MEDIUM
Denial of Service

📋 TL;DR

This CVE addresses a resource leak vulnerability in the Linux kernel's USB DWC3 host controller driver. The issue occurs when the driver incorrectly sets ACPI companion pointers, potentially causing memory/resource leaks. Systems running affected Linux kernel versions with USB DWC3 hardware are vulnerable.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not explicitly stated in CVE; check git commits for exact ranges
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with USB DWC3 host controller hardware; vulnerability is in kernel driver code.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

System instability or denial of service due to resource exhaustion from memory leaks, potentially leading to kernel panic or system crash.

🟠

Likely Case

Gradual performance degradation or USB functionality issues due to resource leaks accumulating over time.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place.

🌐 Internet-Facing: LOW - This is a local kernel driver issue not directly exploitable over network.
🏢 Internal Only: MEDIUM - Requires local access or USB device interaction; could affect system stability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH - Requires specific hardware and kernel interaction

Exploitation requires triggering the specific code path with USB DWC3 hardware; more likely to cause stability issues than remote compromise.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2, 9c185fde906a48368bd2d2a8c17d4b6fb3d670af, d7f35934f7ab67bfd9adabc84207e59da9c19108

Vendor Advisory: https://git.kernel.org/stable/c/7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable USB DWC3 controller

linux

Temporarily disable the affected USB controller if not needed

echo 'blacklist dwc3' > /etc/modprobe.d/blacklist-dwc3.conf
update-initramfs -u
reboot

🧯 If You Can't Patch

  • Monitor system memory and resource usage for unusual leaks
  • Restrict physical USB device access to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if USB DWC3 module is loaded: lsmod | grep dwc3

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated and check dmesg for USB DWC3 initialization without errors

📡 Detection & Monitoring

Log Indicators:

  • Kernel oops messages
  • USB subsystem errors in dmesg
  • Memory allocation failures

Network Indicators:

  • None - local kernel issue

SIEM Query:

source="kernel" AND ("dwc3" OR "USB" OR "ACPI") AND ("error" OR "fail" OR "panic")

📊 Metadata

CVE ID: CVE-2022-49306
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.06% exploit probability (17th percentile)
Published: February 26, 2025
Last Updated: October 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON