CVE-2022-49082

Summary

CVE-2022-49082: In the Linux kernel's mpt3sas driver, a use-after-free vulnerability was identified in the function _scsih_expander_node_remove(). This issue occurs when the function mpt3sas_transport_port_remove() is called to free the port field of the sas_expander structure, which leads to a use-after-free condition when the ioc_info() call following the function is executed. This can result in a kernel crash or potential code injection. To address this issue, the local variable port_id is introduced to store the port ID value before executing mpt3sas_transport_port_remove(), and this variable is then used in the call to ioc_info() instead of dereferencing the freed port structure.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.