CVE-2022-48990: drm/amdgpu: fix use-after-free during gpu recovery
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix use-after-free during gpu recovery
[Why]
[ 754.862560] refcount_t: underflow; use-after-free.
[ 754.862898] Call Trace:
[ 754.862903] <TASK>
[ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu]
[ 754.863543] drm_sched_main.cold+0x34/0x39 [amd_sched]
[How]
The fw_fence may be not init, check whether dma_fence_init
is performed before job free
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel AMDGPU driver memory-safety bug triggered during GPU recovery. The public record describes a refcount underflow and use-after-free, but does not provide CVSS, CWE, business impact, or attack requirements. Exposure is most relevant where affected Linux kernels run AMD GPUs using amdgpu.
Executive priority
Handle through routine kernel patch governance, with priority on workstations, GPU servers, or graphics-heavy Linux hosts using AMD GPUs. Escalate only if your Linux vendor assigns higher severity or publishes exploitation evidence.
Technical view
During drm/amdgpu GPU recovery, a job could be freed when fw_fence was not initialized. The reported trace reaches amdgpu_job_free_cb and drm_sched_main, causing refcount underflow/use-after-free. The fix checks whether dma_fence_init occurred before job free. The record lists Linux 6.0, 6.0.13, and 6.1 as affected.
Likely exposure
Likely limited to Linux systems using AMDGPU on affected kernel builds. Downstream distro kernels may differ because vendors often backport stable fixes without changing upstream version numbers.
Exploitation context
The bundle does not show active exploitation, and KEV is false. It also does not document a remote vector, required privileges, or reliable exploitability. Treat this as a kernel graphics driver memory-safety issue until vendor advisories provide clearer severity.
Researcher notes
Evidence is narrow: the source identifies the faulty amdgpu recovery path and fix condition, but not exploitability, attacker control, or security impact. Avoid assuming remote exposure or privilege escalation without additional vendor or kernel maintainer analysis.
Mitigation direction
Update to a distro kernel containing the referenced stable fixes.
Check Linux vendor advisories for backported package versions.
Prioritize AMD GPU systems running listed affected kernels.
Use standard kernel maintenance windows if no vendor urgency is stated.
Validation and detection
Inventory Linux kernel versions and AMDGPU driver usage.
Confirm whether distro kernel packages include the stable commits.
Review kernel logs for GPU recovery and refcount underflow messages.
Track CVE status in vulnerability management against vendor advisories.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48990 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.