CVE-2022-49493: ASoC: rt5645: Fix errorenous cleanup order
In the Linux kernel, the following vulnerability has been resolved:
ASoC: rt5645: Fix errorenous cleanup order
There is a logic error when removing rt5645 device as the function
rt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and
delete the &rt5645->btn_check_timer latter. However, since the timer
handler rt5645_btn_check_callback() will re-queue the jack_detect_work,
this cleanup order is buggy.
That is, once the del_timer_sync in rt5645_i2c_remove is concurrently
run with the rt5645_btn_check_callback, the canceled jack_detect_work
will be rescheduled again, leading to possible use-after-free.
This patch fix the issue by placing the del_timer_sync function before
the cancel_delayed_work_sync.
Security readout for executives and security teams
Plain-English summary
CVE-2022-49493 is a Linux kernel flaw in the rt5645 audio driver. During device removal, cleanup happens in the wrong order, creating a possible use-after-free. The issue is local, not remotely reachable by itself, but the CVSS score rates impact as high for confidentiality, integrity, and availability.
Executive priority
Prioritize in normal high-severity kernel patch cycles, with faster handling for endpoints or embedded devices using the rt5645 audio driver. There is no provided evidence of internet exposure or active exploitation, but kernel use-after-free bugs can carry serious local impact.
Technical view
The ASoC rt5645 I2C remove path cancels jack_detect_work before deleting btn_check_timer. The timer callback can requeue jack_detect_work after cancellation, so concurrent removal can reschedule work against freed driver state, producing a potential CWE-416 use-after-free.
Likely exposure
Exposure appears limited to Linux systems using affected kernels with the rt5645 ASoC audio codec driver path present. The source data identifies Linux kernel version ranges and upstream stable fixes, but distribution-specific backports require local verification.
Exploitation context
The CVSS vector is local, low complexity, low privileges, no user interaction. The provided bundle marks KEV as false and gives no evidence of active exploitation or public weaponization. Treat as a local privilege or stability risk until vendor guidance says otherwise.
Researcher notes
The vulnerability is a race in removal cleanup ordering: del_timer_sync must occur before cancel_delayed_work_sync to prevent callback-driven work requeueing. Evidence is strongest for upstream Linux; affected status in downstream vendor kernels depends on backports and configuration.
Mitigation direction
Update to a vendor kernel containing the upstream stable rt5645 cleanup-order fix.
Prioritize devices that expose or load the rt5645 ASoC codec driver.
Check Linux distribution advisories for backported fixed package versions.
If patching is delayed, follow vendor guidance for supported mitigations.
Do not rely solely on upstream version numbers for distribution kernels.
Validation and detection
Inventory running kernel versions and distribution kernel package revisions.
Check whether the rt5645 driver is built, loaded, or relevant to deployed hardware.
Compare kernel source or changelog against the listed upstream stable commits.
Confirm vendor advisory status for each supported Linux distribution.
Document systems where the driver path is absent or unreachable.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-416: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
9Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-416 · source CWE mapping
Use After Free
Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.