CVE-2022-49724
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's goldfish TTY driver where free_irq() is called with an incorrect device ID during driver removal. This can cause kernel warnings and potential system instability. It affects Linux systems using the goldfish TTY driver, typically in virtualization environments like Android emulators.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system crash leading to denial of service, potentially allowing privilege escalation if combined with other vulnerabilities.
Likely Case
Kernel warning messages and system instability when the goldfish TTY driver is unloaded, causing denial of service for affected virtualized environments.
If Mitigated
Minor system warnings with no significant impact if the driver isn't actively used or removed.
🎯 Exploit Status
Exploitation requires local access and ability to trigger driver removal. The vulnerability is in driver cleanup code, making reliable exploitation challenging.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel versions containing commits: 499e13aac6c7, 65ca4db68b68, a6fcd7ffd76a, c4b0b8edccb0, or c83a1d40dc62
Vendor Advisory: https://git.kernel.org/stable/c/499e13aac6c762e1e828172b0f0f5275651d6512
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. For custom kernels, apply the relevant commit from kernel.org. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable goldfish TTY driver
LinuxPrevent loading of the vulnerable driver module
echo 'blacklist goldfish_tty' >> /etc/modprobe.d/blacklist.conf
rmmod goldfish_tty
🧯 If You Can't Patch
- Avoid using Android emulators or virtualization environments that load the goldfish driver
- Implement strict access controls to prevent unauthorized users from unloading kernel modules
🔍 How to Verify
Check if Vulnerable:
Check if goldfish_tty module is loaded: lsmod | grep goldfish_tty. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits. Check dmesg for absence of 'Trying to free already-free IRQ' warnings during driver operations.📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing 'WARNING: CPU: 0 PID: 30 at kernel/irq/manage.c:1895 free_irq'
- 'Trying to free already-free IRQ' messages in dmesg
Network Indicators:
- None - this is a local kernel vulnerability
SIEM Query:
source="kernel" AND "free already-free IRQ" OR "goldfish_tty" AND "WARNING"🔗 References
- https://git.kernel.org/stable/c/499e13aac6c762e1e828172b0f0f5275651d6512
- https://git.kernel.org/stable/c/65ca4db68b6819244df9024aea4be55edf8af1ef
- https://git.kernel.org/stable/c/a6fcd7ffd76a9c1d998a2d02d518c78a55c5bed8
- https://git.kernel.org/stable/c/c4b0b8edccb0cfb15a8cecf4161e0571d3daac64
- https://git.kernel.org/stable/c/c83a1d40dc624070a203eb383ef9fb60eb634136
- https://git.kernel.org/stable/c/f7183c76d500324b8b5bd0af5e663cfa57b7b836
- https://git.kernel.org/stable/c/fb15e79cacddfbc62264e6e807bde50ad688e988
