{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49286", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:49:39.302Z", "datePublished": "2025-02-26T01:56:25.566Z", "dateUpdated": "2025-05-04T08:34:16.652Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:34:16.652Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: use try_get_ops() in tpm-space.c\n\nAs part of the series conversion to remove nested TPM operations:\n\nhttps://lore.kernel.org/all/[email protected]/\n\nexposure of the chip->tpm_mutex was removed from much of the upper\nlevel code. In this conversion, tpm2_del_space() was missed. This\ndidn't matter much because it's usually called closely after a\nconverted operation, so there's only a very tiny race window where the\nchip can be removed before the space flushing is done which causes a\nNULL deref on the mutex. However, there are reports of this window\nbeing hit in practice, so fix this by converting tpm2_del_space() to\nuse tpm_try_get_ops(), which performs all the teardown checks before\nacquring the mutex."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/char/tpm/tpm2-space.c"], "versions": [{"version": "745b361e989af21ad40811c2586b60229f870a68", "lessThan": "5b1d2561a03e534064b51c50c774657833d3d2cf", "status": "affected", "versionType": "git"}, {"version": "745b361e989af21ad40811c2586b60229f870a68", "lessThan": "95193d12f10a8a088843b25e0f5fe1d83ec6b079", "status": "affected", "versionType": "git"}, {"version": "745b361e989af21ad40811c2586b60229f870a68", "lessThan": "476ddd23f818fb94cf86fb5617f3bb9a7c92113d", "status": "affected", "versionType": "git"}, {"version": "745b361e989af21ad40811c2586b60229f870a68", "lessThan": "eda1662cce964c8a65bb86321f8d9cfa6e9ceaab", "status": "affected", "versionType": "git"}, {"version": "745b361e989af21ad40811c2586b60229f870a68", "lessThan": "ba84f9a48366dcc3cdef978599433efe101dd5bd", "status": "affected", "versionType": "git"}, {"version": "745b361e989af21ad40811c2586b60229f870a68", "lessThan": "fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/char/tpm/tpm2-space.c"], "versions": [{"version": "4.12", "status": "affected"}, {"version": "0", "lessThan": "4.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.188", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.109", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.32", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.18", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.1", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.4.188"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.10.109"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.15.32"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.16.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.17.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5b1d2561a03e534064b51c50c774657833d3d2cf"}, {"url": "https://git.kernel.org/stable/c/95193d12f10a8a088843b25e0f5fe1d83ec6b079"}, {"url": "https://git.kernel.org/stable/c/476ddd23f818fb94cf86fb5617f3bb9a7c92113d"}, {"url": "https://git.kernel.org/stable/c/eda1662cce964c8a65bb86321f8d9cfa6e9ceaab"}, {"url": "https://git.kernel.org/stable/c/ba84f9a48366dcc3cdef978599433efe101dd5bd"}, {"url": "https://git.kernel.org/stable/c/fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9"}], "title": "tpm: use try_get_ops() in tpm-space.c", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD3BAB76-7066-4C4A-B4A0-654C0BA86D40", "versionEndExcluding": "5.4.188", "versionStartIncluding": "4.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3E1A428-8D87-4CD4-B9CA-C621B32933F8", "versionEndExcluding": "5.10.109", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3191B916-53BD-46E6-AE21-58197D35768E", "versionEndExcluding": "5.15.32", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C86410A0-E312-4F41-93E9-929EAFB31757", "versionEndExcluding": "5.16.18", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:*:*:*:*:*:*:*", "matchCriteriaId": "35799228-BFF6-4426-AD3B-F452EA83320F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: use try_get_ops() in tpm-space.c\n\nAs part of the series conversion to remove nested TPM operations:\n\nhttps://lore.kernel.org/all/[email protected]/\n\nexposure of the chip->tpm_mutex was removed from much of the upper\nlevel code. In this conversion, tpm2_del_space() was missed. This\ndidn't matter much because it's usually called closely after a\nconverted operation, so there's only a very tiny race window where the\nchip can be removed before the space flushing is done which causes a\nNULL deref on the mutex. However, there are reports of this window\nbeing hit in practice, so fix this by converting tpm2_del_space() to\nuse tpm_try_get_ops(), which performs all the teardown checks before\nacquring the mutex."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tpm: uso try_get_ops() en tpm-space.c Como parte de la conversi\u00f3n en serie para eliminar las operaciones TPM anidadas: https://lore.kernel.org/all/[email protected]/ se elimin\u00f3 la exposici\u00f3n del chip->tpm_mutex de gran parte del c\u00f3digo de nivel superior. En esta conversi\u00f3n, se pas\u00f3 por alto tpm2_del_space(). Esto no import\u00f3 mucho porque generalmente se llama poco despu\u00e9s de una operaci\u00f3n convertida, por lo que solo hay una ventana de ejecuci\u00f3n muy peque\u00f1a donde se puede quitar el chip antes de que se realice el vaciado de espacio, lo que provoca una desreferencia NULL en el mutex. Sin embargo, hay informes de que esta ventana se alcanza en la pr\u00e1ctica, as\u00ed que solucione esto convirtiendo tpm2_del_space() para usar tpm_try_get_ops(), que realiza todas las comprobaciones de desmontaje antes de adquirir el mutex."}], "id": "CVE-2022-49286", "lastModified": "2025-09-22T19:35:01.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-02-26T07:01:05.453", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/476ddd23f818fb94cf86fb5617f3bb9a7c92113d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5b1d2561a03e534064b51c50c774657833d3d2cf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/95193d12f10a8a088843b25e0f5fe1d83ec6b079"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ba84f9a48366dcc3cdef978599433efe101dd5bd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eda1662cce964c8a65bb86321f8d9cfa6e9ceaab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: tpm: use try_get_ops() in tpm-space.c", "id": "2347958", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347958"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntpm: use try_get_ops() in tpm-space.c\nAs part of the series conversion to remove nested TPM operations:\nhttps://lore.kernel.org/all/[email protected]/\nexposure of the chip->tpm_mutex was removed from much of the upper\nlevel code. In this conversion, tpm2_del_space() was missed. This\ndidn't matter much because it's usually called closely after a\nconverted operation, so there's only a very tiny race window where the\nchip can be removed before the space flushing is done which causes a\nNULL deref on the mutex. However, there are reports of this window\nbeing hit in practice, so fix this by converting tpm2_del_space() to\nuse tpm_try_get_ops(), which performs all the teardown checks before\nacquring the mutex."], "name": "CVE-2022-49286", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49286\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49286\nhttps://lore.kernel.org/linux-cve-announce/2025022632-CVE-2022-49286-a585@gregkh/T"], "threat_severity": "Moderate"}