CVE-2022-50704: USB: gadget: Fix use-after-free during usb config switch
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: Fix use-after-free during usb config switch
In the process of switching USB config from rndis to other config,
if the hardware does not support the ->pullup callback, or the
hardware encounters a low probability fault, both of them may cause
the ->pullup callback to fail, which will then cause a system panic
(use after free).
The gadget drivers sometimes need to be unloaded regardless of the
hardware's behavior.
Analysis as follows:
=======================================================================
(1) write /config/usb_gadget/g1/UDC "none"
gether_disconnect+0x2c/0x1f8
rndis_disable+0x4c/0x74
composite_disconnect+0x74/0xb0
configfs_composite_disconnect+0x60/0x7c
usb_gadget_disconnect+0x70/0x124
usb_gadget_unregister_driver+0xc8/0x1d8
gadget_dev_desc_UDC_store+0xec/0x1e4
(2) rm /config/usb_gadget/g1/configs/b.1/f1
rndis_deregister+0x28/0x54
rndis_free+0x44/0x7c
usb_put_function+0x14/0x1c
config_usb_cfg_unlink+0xc4/0xe0
configfs_unlink+0x124/0x1c8
vfs_unlink+0x114/0x1dc
(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4
panic+0x1fc/0x3d0
do_page_fault+0xa8/0x46c
do_mem_abort+0x3c/0xac
el1_sync_handler+0x40/0x78
0xffffff801138f880
rndis_close+0x28/0x34
eth_stop+0x74/0x110
dev_close_many+0x48/0x194
rollback_registered_many+0x118/0x814
unregister_netdev+0x20/0x30
gether_cleanup+0x1c/0x38
rndis_attr_release+0xc/0x14
kref_put+0x74/0xb8
configfs_rmdir+0x314/0x374
If gadget->ops->pullup() return an error, function rndis_close() will be
called, then it will causes a use-after-free problem.
=======================================================================
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can crash a system during USB gadget configuration changes involving RNDIS. The public record describes a use-after-free that leads to panic when a pullup callback fails. Business impact is most likely availability loss on affected Linux devices using USB gadget mode, especially embedded or device-mode USB products.
Executive priority
Treat as a targeted availability risk for Linux-based appliances, embedded devices, and USB gadget products. Prioritize patch validation where device uptime matters or field recovery is difficult. Broad enterprise server exposure is not established by the provided sources.
Technical view
The flaw is in Linux USB gadget handling during config switches from RNDIS to another configuration. If gadget->ops->pullup() fails or is unsupported, cleanup can call rndis_close() after related state is freed, causing a use-after-free and kernel panic. The source bundle names stable kernel commits as fixes but provides no CVSS or CWE.
Likely exposure
Exposure appears limited to Linux systems using USB gadget configfs with RNDIS functions and configuration switching or removal workflows. The source does not specify remote reachability or required privileges. Distribution kernels may differ because vendors often backport kernel fixes.
Exploitation context
CISA KEV status is false, and the supplied sources do not report active exploitation. The described trigger is operational: changing USB gadget configuration, unlinking an RNDIS function, then removing it after a pullup failure condition.
Researcher notes
Evidence supports a kernel use-after-free leading to panic, not a confirmed privilege escalation or remote exploit. The affected-version data is sparse, so validate against kernel tree commits and downstream vendor backports before declaring systems safe or vulnerable.
Mitigation direction
Review vendor kernel advisories for CVE-2022-50704 and applicable backports.
Update to a kernel containing the referenced stable fixes where available.
Limit USB gadget configfs administration to trusted operators and automation.
Avoid unnecessary RNDIS gadget reconfiguration on unpatched affected devices.
Monitor affected embedded fleets for unexplained kernel panics during USB mode changes.
Validation and detection
Inventory Linux devices using USB gadget mode and RNDIS functions.
Compare running kernel builds against vendor advisories and referenced stable commits.
Check whether gadget configuration workflows can remove or switch RNDIS functions.
Review crash logs for rndis_close, gether_cleanup, or USB gadget panic traces.
Confirm patched devices no longer carry the vulnerable kernel code path.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50704 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 24, 2025, 10:55 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.