CVE-2022-50454: drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()
nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code
back to the caller. On failures, ttm will call nouveau_bo_del_ttm() and
free the memory.Thus, when nouveau_bo_init() returns an error, the gem
object has already been released. Then the call to nouveau_bo_ref() will
use the freed "nvbo->bo" and lead to a use-after-free bug.
We should delete the call to nouveau_bo_ref() to avoid the use-after-free.
Security readout for executives and security teams
Plain-English summary
CVE-2022-50454 is a Linux kernel memory-safety bug in the Nouveau graphics driver. A failed graphics buffer import path can reference memory after it has already been freed. Business urgency depends on whether affected systems use the Nouveau driver and affected kernel builds; the sources do not provide CVSS, impact details, or exploit evidence.
Executive priority
Treat this as a targeted kernel maintenance issue until severity is clarified. Prioritize patch validation for Linux endpoints, workstations, and servers where Nouveau is enabled, especially multi-user systems. Do not escalate as actively exploited based on the supplied evidence.
Technical view
The flaw is a use-after-free in nouveau_gem_prime_import_sg_table(). If nouveau_bo_init() fails, ttm may already free the GEM object through nouveau_bo_del_ttm(); a later nouveau_bo_ref() then dereferences freed nvbo->bo memory. The upstream fix removes that reference path in stable kernel commits.
Likely exposure
Exposure is most likely on Linux systems running affected kernel builds with the Nouveau DRM driver available or in use. Systems not using Nouveau are less likely to be exposed, but kernel packaging and module availability should be confirmed locally.
Exploitation context
The bundle marks KEV as false, and no cited source states active exploitation. The provided data does not describe exploitability, required privileges, attack surface, or practical impact beyond the kernel use-after-free condition.
Researcher notes
The key uncertainty is impact. The public record identifies the vulnerable code path and fix, but not CVSS, CWE, required trigger conditions, or exploitability. Validation should focus on kernel branch mapping, distro backports, and Nouveau module exposure rather than assuming universal Linux exposure.
Mitigation direction
Update to a Linux kernel containing the referenced stable fix commits.
Check your Linux distribution advisory for backported fixed package versions.
Prioritize systems where Nouveau is loaded or available on shared-user workloads.
If patching is delayed, follow vendor guidance for supported temporary controls.
Validation and detection
Inventory kernel versions and compare them with distribution fixed versions.
Check whether the nouveau kernel module is present or loaded.
Confirm installed kernel changelogs include the CVE or referenced fix commits.
Run existing regression tests for graphics, GPU, and boot workflows after updating.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50454 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
7Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 1, 2025, 11:45 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.