CVE-2022-49496
📋 TL;DR
A NULL pointer dereference vulnerability in the MediaTek vcodec decoder driver for Linux kernels causes a kernel crash when removing the mtk-vcodec-dec.ko module. This affects Linux systems with MediaTek hardware using the vulnerable driver, potentially leading to denial of service.
💻 Affected Systems
- Linux kernel with MediaTek vcodec decoder driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, requiring physical or remote console access to reboot.
Likely Case
System crash when attempting to remove the vcodec driver module, causing service disruption.
If Mitigated
No impact if the vulnerable driver is not loaded or the system is patched.
🎯 Exploit Status
Exploitation requires local access and ability to load/unload kernel modules (typically root or CAP_SYS_MODULE).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 1fa37b00dc55a061a3eb82e378849862b4aeca9d and c10c0086db688c95bb4e0e378e523818dff1551d
Vendor Advisory: https://git.kernel.org/stable/c/1fa37b00dc55a061a3eb82e378849862b4aeca9d
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Rebuild kernel if using custom kernel. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Prevent module removal
linuxRestrict ability to remove the vulnerable kernel module
echo 'install mtk-vcodec-dec /bin/false' >> /etc/modprobe.d/disable-mtk-vcodec.conf
rmmod mtk_vcodec_dec
Disable module loading
linuxPrevent loading of the vulnerable module
echo 'blacklist mtk_vcodec_dec' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Restrict module loading capabilities to trusted users only
- Monitor for attempts to load/unload kernel modules
🔍 How to Verify
Check if Vulnerable:
Check if mtk_vcodec_dec module is loaded: lsmod | grep mtk_vcodec_decCheck Version:
uname -rVerify Fix Applied:
Check kernel version includes fix commits: grep -q '1fa37b00dc55a061a3eb82e378849862b4aeca9d\|c10c0086db688c95bb4e0e378e523818dff1551d' /proc/version📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- Module removal attempts in system logs
Network Indicators:
- None - local vulnerability
SIEM Query:
source="kernel" AND "mtk_vcodec_dec_remove" OR "do_raw_spin_trylock"