LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49493: ASoC: rt5645: Fix errorenous cleanup order

In the Linux kernel, the following vulnerability has been resolved: ASoC: rt5645: Fix errorenous cleanup order There is a logic error when removing rt5645 device as the function rt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and delete the &rt5645->btn_check_timer latter. However, since the timer handler rt5645_btn_check_callback() will re-queue the jack_detect_work, this cleanup order is buggy. That is, once the del_timer_sync in rt5645_i2c_remove is concurrently run with the rt5645_btn_check_callback, the canceled jack_detect_work will be rescheduled again, leading to possible use-after-free. This patch fix the issue by placing the del_timer_sync function before the cancel_delayed_work_sync.

HighCVSS 7.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2022-49493 is a Linux kernel flaw in the rt5645 audio driver. During device removal, cleanup happens in the wrong order, creating a possible use-after-free. The issue is local, not remotely reachable by itself, but the CVSS score rates impact as high for confidentiality, integrity, and availability.

Executive priority

Prioritize in normal high-severity kernel patch cycles, with faster handling for endpoints or embedded devices using the rt5645 audio driver. There is no provided evidence of internet exposure or active exploitation, but kernel use-after-free bugs can carry serious local impact.

Technical view

The ASoC rt5645 I2C remove path cancels jack_detect_work before deleting btn_check_timer. The timer callback can requeue jack_detect_work after cancellation, so concurrent removal can reschedule work against freed driver state, producing a potential CWE-416 use-after-free.

Likely exposure

Exposure appears limited to Linux systems using affected kernels with the rt5645 ASoC audio codec driver path present. The source data identifies Linux kernel version ranges and upstream stable fixes, but distribution-specific backports require local verification.

Exploitation context

The CVSS vector is local, low complexity, low privileges, no user interaction. The provided bundle marks KEV as false and gives no evidence of active exploitation or public weaponization. Treat as a local privilege or stability risk until vendor guidance says otherwise.

Researcher notes

The vulnerability is a race in removal cleanup ordering: del_timer_sync must occur before cancel_delayed_work_sync to prevent callback-driven work requeueing. Evidence is strongest for upstream Linux; affected status in downstream vendor kernels depends on backports and configuration.

Mitigation direction

  • Update to a vendor kernel containing the upstream stable rt5645 cleanup-order fix.
  • Prioritize devices that expose or load the rt5645 ASoC codec driver.
  • Check Linux distribution advisories for backported fixed package versions.
  • If patching is delayed, follow vendor guidance for supported mitigations.
  • Do not rely solely on upstream version numbers for distribution kernels.

Validation and detection

  • Inventory running kernel versions and distribution kernel package revisions.
  • Check whether the rt5645 driver is built, loaded, or relevant to deployed hardware.
  • Compare kernel source or changelog against the listed upstream stable commits.
  • Confirm vendor advisory status for each supported Linux distribution.
  • Document systems where the driver path is absent or unreachable.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-416: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2022-49493 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H1.85.9CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

7.8High
CVSS 3.1 vector shape for CVE-2022-49493Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxa6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5, a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5, a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5, a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5, a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5, a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5, a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5, a6ff8ddcf3f38ec84337e5e7eb3e0e9a73754cf5unaffected
LinuxLinux4.13, 0, 4.14.283, 4.19.247, 5.4.198, 5.10.121, 5.15.46, 5.17.14, 5.18.3, 5.19affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-416 · source CWE mapping

Use After Free

Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.