DEBIAN-CVE-2022-50725
- Source
- https://security-tracker.debian.org/tracker/CVE-2022-50725
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50725.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-50725
- Upstream
- Published
- 2025-12-24T13:15:59.157Z
- Modified
- 2025-12-25T11:14:14.442046Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Fix use-after-free in vidtvbridgedvbinit() KASAN reports a use-after-free: BUG: KASAN: use-after-free in dvbdmxdevrelease+0x4d5/0x5d0 [dvbcore] Call Trace: ... dvbdmxdevrelease+0x4d5/0x5d0 [dvbcore] vidtvbridgeprobe+0x7bf/0xa40 [dvbvidtvbridge] platformprobe+0xb6/0x170 ... Allocated by task 1238: ... dvbregisterdevice+0x1a7/0xa70 [dvbcore] dvbdmxdevinit+0x2af/0x4a0 [dvbcore] vidtvbridgeprobe+0x766/0xa40 [dvbvidtvbridge] ... Freed by task 1238: dvbregisterdevice+0x6d2/0xa70 [dvbcore] dvbdmxdevinit+0x2af/0x4a0 [dvbcore] vidtvbridgeprobe+0x766/0xa40 [dvbvidtvbridge] ... It is because the error handling in vidtvbridgedvbinit() is wrong. First, vidtvbridgedmx(dev)init() will clean themselves when fail, but goto faildmx(dev): calls release functions again, which causes use-after-free. Also, in failfe, failtunerprobe and faildemodprobe, j = i will cause out-of-bound when i finished its loop (i == NUMFE). And the loop releasing is wrong, although now NUM_FE is 1 so it won't cause problem. Fix this by correctly releasing everything.
- References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.178-1
Affected versions
5.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source