CVE-2022-50190: spi: Fix simplification of devm_spi_register_controller
In the Linux kernel, the following vulnerability has been resolved:
spi: Fix simplification of devm_spi_register_controller
This reverts commit 59ebbe40fb51 ("spi: simplify
devm_spi_register_controller").
If devm_add_action() fails in devm_add_action_or_reset(),
devm_spi_unregister() will be called, it decreases the
refcount of 'ctlr->dev' to 0, then it will cause uaf in
the drivers that calling spi_put_controller() in error path.
Security readout for executives and security teams
Plain-English summary
CVE-2022-50190 is a Linux kernel SPI controller cleanup bug. Under an error condition, the kernel may release a device reference too early, creating a use-after-free risk. The source bundle does not provide CVSS, business impact, or confirmed exploitation.
Executive priority
Treat as a kernel maintenance item unless affected SPI-heavy or embedded platforms are business-critical. No exploitation evidence or severity score is provided, but kernel memory-safety bugs deserve timely vendor patch review.
Technical view
The issue is in devm_spi_register_controller after commit 59ebbe40fb51 simplified controller registration. If devm_add_action fails inside devm_add_action_or_reset, devm_spi_unregister can drop ctlr->dev to zero, causing use-after-free in drivers that also call spi_put_controller on error paths.
Likely exposure
Exposure is limited to Linux kernels containing the affected SPI controller change and relevant SPI driver error paths. The bundle lists Linux as affected and references stable kernel fixes, but does not identify distributions, devices, or enabled configurations.
Exploitation context
No active exploitation is stated. The bundle marks KEV as false and includes no public exploit claim. The described trigger is an error path in kernel SPI controller registration, so practical exploitability is not established from the provided evidence.
Researcher notes
The evidence supports a use-after-free caused by refcount handling during devm_add_action_or_reset failure. Impact beyond kernel memory corruption is not described. Version boundaries in the bundle are incomplete, so distribution-specific advisories are needed for accurate exposure decisions.
Mitigation direction
Check vendor kernel advisories for CVE-2022-50190 applicability.
Upgrade to a vendor-supported kernel containing the referenced stable fixes.
Prioritize systems using SPI controller drivers or embedded Linux builds.
Do not deploy custom kernel changes without confirming the revert is included.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and embedded systems.
Compare kernel sources or vendor changelogs against the referenced stable commits.
Review SPI controller driver usage in affected kernel builds.
Confirm the CVE is absent after patching through vendor security metadata.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50190 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 18, 2025, 11:03 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.