{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49306", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:08:31.535Z", "datePublished": "2025-02-26T02:10:38.680Z", "dateUpdated": "2025-09-03T12:58:40.666Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-03T12:58:40.666Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: host: Stop setting the ACPI companion\n\nIt is no longer needed. The sysdev pointer is now used when\nassigning the ACPI companions to the xHCI ports and USB\ndevices.\n\nAssigning the ACPI companion here resulted in the\nfwnode->secondary pointer to be replaced also for the parent\ndwc3 device since the primary fwnode (the ACPI companion)\nwas shared. That was unintentional and it created potential\nside effects like resource leaks."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/dwc3/host.c"], "versions": [{"version": "11c39809070fc0eb3aacb0d9ee71cd3678144f66", "lessThan": "d7f35934f7ab67bfd9adabc84207e59da9c19108", "status": "affected", "versionType": "git"}, {"version": "11c39809070fc0eb3aacb0d9ee71cd3678144f66", "lessThan": "9c185fde906a48368bd2d2a8c17d4b6fb3d670af", "status": "affected", "versionType": "git"}, {"version": "11c39809070fc0eb3aacb0d9ee71cd3678144f66", "lessThan": "7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/dwc3/host.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.15", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.4", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.17.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.18.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d7f35934f7ab67bfd9adabc84207e59da9c19108"}, {"url": "https://git.kernel.org/stable/c/9c185fde906a48368bd2d2a8c17d4b6fb3d670af"}, {"url": "https://git.kernel.org/stable/c/7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2"}], "title": "usb: dwc3: host: Stop setting the ACPI companion", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A42A75E-A3B8-47F8-89B9-AE7B6C624806", "versionEndExcluding": "5.17.15", "versionStartIncluding": "5.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA6D643C-6D6A-4821-8A8D-B5776B8F0103", "versionEndExcluding": "5.18.4", "versionStartIncluding": "5.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: host: Stop setting the ACPI companion\n\nIt is no longer needed. The sysdev pointer is now used when\nassigning the ACPI companions to the xHCI ports and USB\ndevices.\n\nAssigning the ACPI companion here resulted in the\nfwnode->secondary pointer to be replaced also for the parent\ndwc3 device since the primary fwnode (the ACPI companion)\nwas shared. That was unintentional and it created potential\nside effects like resource leaks."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: dwc3: host: Detener la configuraci\u00f3n del compa\u00f1ero ACPI Ya no es necesario. El puntero sysdev ahora se utiliza al asignar los compa\u00f1eros ACPI a los puertos xHCI y dispositivos USB. Asignar el compa\u00f1ero ACPI aqu\u00ed result\u00f3 en que el puntero fwnode->secondary tambi\u00e9n se reemplazara para el dispositivo dwc3 principal ya que el fwnode primario (el compa\u00f1ero ACPI) se compart\u00eda. Eso no fue intencional y cre\u00f3 posibles efectos secundarios como fugas de recursos."}], "id": "CVE-2022-49306", "lastModified": "2025-10-21T11:45:22.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:01:07.413", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9c185fde906a48368bd2d2a8c17d4b6fb3d670af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d7f35934f7ab67bfd9adabc84207e59da9c19108"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8267", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-162.6.1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-11-15T00:00:00Z"}, {"advisory": "RHSA-2022:8267", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-162.6.1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-11-15T00:00:00Z"}], "bugzilla": {"description": "kernel: usb: dwc3: host: Stop setting the ACPI companion", "id": "2347702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347702"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusb: dwc3: host: Stop setting the ACPI companion\nIt is no longer needed. The sysdev pointer is now used when\nassigning the ACPI companions to the xHCI ports and USB\ndevices.\nAssigning the ACPI companion here resulted in the\nfwnode->secondary pointer to be replaced also for the parent\ndwc3 device since the primary fwnode (the ACPI companion)\nwas shared. That was unintentional and it created potential\nside effects like resource leaks."], "name": "CVE-2022-49306", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49306\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49306\nhttps://lore.kernel.org/linux-cve-announce/2025022635-CVE-2022-49306-a115@gregkh/T"], "threat_severity": "Moderate"}

{}