LiveActive security incident?Get immediate response
CVE Record

CVE-2022-50704: USB: gadget: Fix use-after-free during usb config switch

In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix use-after-free during usb config switch In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free). The gadget drivers sometimes need to be unloaded regardless of the hardware's behavior. Analysis as follows: ======================================================================= (1) write /config/usb_gadget/g1/UDC "none" gether_disconnect+0x2c/0x1f8 rndis_disable+0x4c/0x74 composite_disconnect+0x74/0xb0 configfs_composite_disconnect+0x60/0x7c usb_gadget_disconnect+0x70/0x124 usb_gadget_unregister_driver+0xc8/0x1d8 gadget_dev_desc_UDC_store+0xec/0x1e4 (2) rm /config/usb_gadget/g1/configs/b.1/f1 rndis_deregister+0x28/0x54 rndis_free+0x44/0x7c usb_put_function+0x14/0x1c config_usb_cfg_unlink+0xc4/0xe0 configfs_unlink+0x124/0x1c8 vfs_unlink+0x114/0x1dc (3) rmdir /config/usb_gadget/g1/functions/rndis.gs4 panic+0x1fc/0x3d0 do_page_fault+0xa8/0x46c do_mem_abort+0x3c/0xac el1_sync_handler+0x40/0x78 0xffffff801138f880 rndis_close+0x28/0x34 eth_stop+0x74/0x110 dev_close_many+0x48/0x194 rollback_registered_many+0x118/0x814 unregister_netdev+0x20/0x30 gether_cleanup+0x1c/0x38 rndis_attr_release+0xc/0x14 kref_put+0x74/0xb8 configfs_rmdir+0x314/0x374 If gadget->ops->pullup() return an error, function rndis_close() will be called, then it will causes a use-after-free problem. =======================================================================

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can crash a system during USB gadget configuration changes involving RNDIS. The public record describes a use-after-free that leads to panic when a pullup callback fails. Business impact is most likely availability loss on affected Linux devices using USB gadget mode, especially embedded or device-mode USB products.

Executive priority

Treat as a targeted availability risk for Linux-based appliances, embedded devices, and USB gadget products. Prioritize patch validation where device uptime matters or field recovery is difficult. Broad enterprise server exposure is not established by the provided sources.

Technical view

The flaw is in Linux USB gadget handling during config switches from RNDIS to another configuration. If gadget->ops->pullup() fails or is unsupported, cleanup can call rndis_close() after related state is freed, causing a use-after-free and kernel panic. The source bundle names stable kernel commits as fixes but provides no CVSS or CWE.

Likely exposure

Exposure appears limited to Linux systems using USB gadget configfs with RNDIS functions and configuration switching or removal workflows. The source does not specify remote reachability or required privileges. Distribution kernels may differ because vendors often backport kernel fixes.

Exploitation context

CISA KEV status is false, and the supplied sources do not report active exploitation. The described trigger is operational: changing USB gadget configuration, unlinking an RNDIS function, then removing it after a pullup failure condition.

Researcher notes

Evidence supports a kernel use-after-free leading to panic, not a confirmed privilege escalation or remote exploit. The affected-version data is sparse, so validate against kernel tree commits and downstream vendor backports before declaring systems safe or vulnerable.

Mitigation direction

  • Review vendor kernel advisories for CVE-2022-50704 and applicable backports.
  • Update to a kernel containing the referenced stable fixes where available.
  • Limit USB gadget configfs administration to trusted operators and automation.
  • Avoid unnecessary RNDIS gadget reconfiguration on unpatched affected devices.
  • Monitor affected embedded fleets for unexplained kernel panics during USB mode changes.

Validation and detection

  • Inventory Linux devices using USB gadget mode and RNDIS functions.
  • Compare running kernel builds against vendor advisories and referenced stable commits.
  • Check whether gadget configuration workflows can remove or switch RNDIS functions.
  • Review crash logs for rndis_close, gether_cleanup, or USB gadget panic traces.
  • Confirm patched devices no longer carry the vulnerable kernel code path.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-50704 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux0a55187a1ec8c03d0619e7ce41d10fdc39cff036, 0a55187a1ec8c03d0619e7ce41d10fdc39cff036, 0a55187a1ec8c03d0619e7ce41d10fdc39cff036unaffected
LinuxLinux4.20, 0, 6.0.16, 6.1.2, 6.2affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.