CVE-2022-49494 – This CVE describes a NULL pointer dereference v... (How to Fix)

Q: What is the severity of CVE-2022-49494?

CVE-2022-49494 has a CVSS score of 5.5 (MEDIUM). This CVE describes a NULL pointer dereference vulnerability in the Cadence NAND driver of the Linux kernel. If exploited, it could cause a kernel panic or system crash on systems using affected Cadence NAND controllers. The vulnerability affects Linux systems with specific hardware configurations.

📋 TL;DR

This CVE describes a NULL pointer dereference vulnerability in the Cadence NAND driver of the Linux kernel. If exploited, it could cause a kernel panic or system crash on systems using affected Cadence NAND controllers. The vulnerability affects Linux systems with specific hardware configurations.

💻 Affected Systems

Products:

Linux kernel with Cadence NAND driver

Versions: Linux kernel versions containing the vulnerable cadence_nand_dt_probe() function before the fix

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if the Cadence NAND controller hardware is present and the driver is loaded. Most systems will not have this specific hardware.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially requiring physical access to restart the system.

🟠

Likely Case

System crash or kernel panic when the vulnerable driver code path is triggered, resulting in temporary denial of service.

🟢

If Mitigated

No impact if the vulnerable driver is not loaded or the specific hardware is not present.

🌐 Internet-Facing: LOW - This is a local kernel driver vulnerability requiring specific hardware and driver loading.

🏢 Internal Only: MEDIUM - Could be exploited by local users or through other vulnerabilities to cause denial of service on affected systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering the vulnerable code path in the Cadence NAND driver, which typically requires specific hardware and driver loading conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel versions with commits 069af5e27c1b0f7677ef76d8d3102e503ca4f80b or later

Vendor Advisory: https://git.kernel.org/stable/c/069af5e27c1b0f7677ef76d8d3102e503ca4f80b

Restart Required: Yes

Instructions:

1. Update to a patched Linux kernel version from your distribution vendor. 2. Reboot the system to load the new kernel. 3. Verify the fix is applied by checking kernel version or examining the driver source.

🔧 Temporary Workarounds

Disable Cadence NAND driver

linux

Prevent loading of the vulnerable driver module if not needed

echo 'blacklist cadence_nand' >> /etc/modprobe.d/blacklist.conf
rmmod cadence_nand

🧯 If You Can't Patch

Ensure the Cadence NAND driver is not loaded if the hardware is not present
Implement strict access controls to prevent local users from triggering the vulnerable code path

🔍 How to Verify

Check if Vulnerable:

Check if the cadence_nand module is loaded: lsmod | grep cadence_nand. If loaded and kernel version is unpatched, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Check kernel version is patched: uname -r should show version with fix commits. Verify cadence_nand module loads without issues.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/kern.log or dmesg
NULL pointer dereference errors in kernel logs

Network Indicators:

None - this is a local kernel vulnerability

SIEM Query:

source="kernel" AND ("NULL pointer dereference" OR "kernel panic" OR "cadence_nand")

📊 Metadata

CVE ID: CVE-2022-49494

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.04% exploit probability (10th percentile)

Published: February 26, 2025

Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49494, you might also want to check these: