CVE-2022-49286

MEDIUM

Linux Kernel 4.12-5.17 - NULL Pointer Dereference in tpm2_del_space()

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: tpm: use try_get_ops() in tpm-space.c As part of the series conversion to remove nested TPM operations: https://lore.kernel.org/all/[email protected]/ exposure of the chip->tpm_mutex was removed from much of the upper level code. In this conversion, tpm2_del_space() was missed. This didn't matter much because it's usually called closely after a converted operation, so there's only a very tiny race window where the chip can be removed before the space flushing is done which causes a NULL deref on the mutex. However, there are reports of this window being hit in practice, so fix this by converting tpm2_del_space() to use tpm_try_get_ops(), which performs all the teardown checks before acquring the mutex.

References (6)

Core 6

Scores

CVSS v3 4.7
EPSS 0.0022
EPSS Percentile 12.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (21)
linux/Kernel 4.12.0 - 5.4.188linux
linux/Kernel 5.11.0 - 5.15.32linux
linux/Kernel 5.16.0 - 5.16.18linux
linux/Kernel 5.17.0 - 5.17.1linux
linux/Kernel 5.5.0 - 5.10.109linux
Linux/Linux < 4.12
Linux/Linux 4.12
Linux/Linux 5.10.109 - 5.10.*
Linux/Linux 5.15.32 - 5.15.*
Linux/Linux 5.16.18 - 5.16.*
... and 11 more
Published Feb 26, 2025
Tracked Since Feb 18, 2026