CVE-2022-49535

Summary

CVE-2022-49535 is a vulnerability affecting the Linux kernel's lpfc driver. This issue involves a null pointer dereference that can occur when the driver fails to issue FLOGI or PLOGI (First Login Inquiry or Parameter Login Inquiry) commands. If dev-loss-evt (device loss event) work is pending at the time of node release, a use-after-free condition may result, leading to a null pointer dereference. A similar issue arises when processing non-zero ELS (Extended Logical Unit) PLOGI completion status. To mitigate this vulnerability, a test has been added to ensure that dev-loss work is not pending before decrementing the node reference count during FLOGI, PLOGI, PRLI, and ADISC handling.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.