CVE-2022-50034 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

usb: cdns3 fix use-after-free at workaround 2

BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xac

cdns3_wa2_remove_old_request()
{
...
kfree(priv_req->request.buf);
cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);
list_del_init(&priv_req->list);
^^^ use after free
...
}

cdns3_gadget_ep_free_request() free the space pointed by priv_req,
but priv_req is used in the following list_del_init().

This patch move list_del_init() before cdns3_gadget_ep_free_request().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux	Linux Kernel

Advisories

Source	ID	Title
EUVD	EUVD-2022-55305	In the Linux kernel, the following vulnerability has been resolved: usb: cdns3 fix use-after-free at workaround 2 BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xac cdns3_wa2_remove_old_request() { ... kfree(priv_req->request.buf); cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->list); ^^^ use after free ... } cdns3_gadget_ep_free_request() free the space pointed by priv_req, but priv_req is used in the following list_del_init(). This patch move list_del_init() before cdns3_gadget_ep_free_request().

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/6d7ac60098b206d0472475b666cb09d556bec03d
https://git.kernel.org/stable/c/6fd50446e7c9a98b4bcf96815f5c9602a16ea472
https://git.kernel.org/stable/c/7d602f30149a117eea260208b1661bc404c21dfd
https://git.kernel.org/stable/c/c3c1dbad3a2db32ecf371c97f2058491b8ba0f9a
https://git.kernel.org/stable/c/e65d9b7147d7be3504893ca7dfb85286bda83d40
https://lore.kernel.org/linux-cve-announce/2025061840-CVE-2022-50034-0d64@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-50034
https://www.cve.org/CVERecord?id=CVE-2022-50034

History

Thu, 13 Nov 2025 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 19 Jun 2025 03:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025061840-CVE-2022-50034-0d64@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2022-50034 https://www.cve.org/CVERecord?id=CVE-2022-50034
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 18 Jun 2025 11:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: cdns3 fix use-after-free at workaround 2 BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xac cdns3_wa2_remove_old_request() { ... kfree(priv_req->request.buf); cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->list); ^^^ use after free ... } cdns3_gadget_ep_free_request() free the space pointed by priv_req, but priv_req is used in the following list_del_init(). This patch move list_del_init() before cdns3_gadget_ep_free_request().
Title		usb: cdns3 fix use-after-free at workaround 2
References		https://git.kernel.org/stable/c/6d7ac60098b206d0472475b666cb09d556bec03d https://git.kernel.org/stable/c/6fd50446e7c9a98b4bcf96815f5c9602a16ea472 https://git.kernel.org/stable/c/7d602f30149a117eea260208b1661bc404c21dfd https://git.kernel.org/stable/c/c3c1dbad3a2db32ecf371c97f2058491b8ba0f9a https://git.kernel.org/stable/c/e65d9b7147d7be3504893ca7dfb85286bda83d40

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-06-18T11:01:36.435Z

Updated: 2025-06-19T13:10:50.978Z

Reserved: 2025-06-18T10:57:27.396Z

Link: CVE-2022-50034

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2025-06-18T11:15:31.790

Modified: 2025-11-13T18:42:35.117

Link: CVE-2022-50034

Redhat

Severity : Moderate

Publid Date: 2025-06-18T00:00:00Z

Links: CVE-2022-50034 - Bugzilla

OpenCVE Enrichment

Updated: 2025-06-23T08:45:29Z

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object