CVE-2022-49726

MEDIUM

Linux Kernel 5.3-5.18.5 - Use of Uninitialized Resource via EXPORT_SYMBOL and __init

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: clocksource: hyper-v: unexport __init-annotated hv_init_clocksource() EXPORT_SYMBOL and __init is a bad combination because the .init.text section is freed up after the initialization. Hence, modules cannot use symbols annotated __init. The access to a freed symbol may end up with kernel panic. modpost used to detect it, but it has been broken for a decade. Recently, I fixed modpost so it started to warn it again, then this showed up in linux-next builds. There are two ways to fix it: - Remove __init - Remove EXPORT_SYMBOL I chose the latter for this case because the only in-tree call-site, arch/x86/kernel/cpu/mshyperv.c is never compiled as modular. (CONFIG_HYPERVISOR_GUEST is boolean)

References (5)

Core 5

Core References

Patch

https://git.kernel.org/stable/c/cff3a7ce6e81418b6e8bac941779bbf5d342d626

Patch

https://git.kernel.org/stable/c/db965e2757d95f695e606856418cd84003dd036d

Patch

https://git.kernel.org/stable/c/0414eab7c78f3518143d383e448d44fc573ac6d2

Patch

https://git.kernel.org/stable/c/937fcbb55a1e48a6422e87e8f49422c92265f102

Patch

https://git.kernel.org/stable/c/245b993d8f6c4e25f19191edfbd8080b645e12b1

Scores

CVSS v3 5.5

EPSS 0.0026

EPSS Percentile 17.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-908

Status published

Products (18)

linux/Kernel 5.11.0 - 5.15.49linux

linux/Kernel 5.16.0 - 5.18.6linux

linux/Kernel 5.3.0 - 5.4.200linux

linux/Kernel 5.5.0 - 5.10.124linux

Linux/Linux < 5.3

Linux/Linux 5.10.124 - 5.10.*

Linux/Linux 5.15.49 - 5.15.*

Linux/Linux 5.18.6 - 5.18.*

Linux/Linux 5.19

Linux/Linux 5.3

... and 8 more

Published Feb 26, 2025

Tracked Since Feb 18, 2026