vulnerability

Red Hat: CVE-2022-49501: kernel: usbnet: Run unregister_netdev() before unbind() again

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
1	(AV:L/AC:L/Au:S/C:N/I:N/A:N)	Feb 26, 2025	Jul 9, 2025	Jul 10, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:N)

Published

Feb 26, 2025

Added

Jul 9, 2025

Modified

Jul 10, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

usbnet: Run unregister_netdev() before unbind() again

Commit 2c9d6c2b871d ("usbnet: run unbind() before unregister_netdev()")
sought to fix a use-after-free on disconnect of USB Ethernet adapters.

It turns out that a different fix is necessary to address the issue:
https://lore.kernel.org/netdev/18b3541e5372bc9b9fc733d422f4e698c089077c.1650177997.git.lukas@wunner.de/

So the commit was not necessary.

The commit made binding and unbinding of USB Ethernet asymmetrical:
Before, usbnet_probe() first invoked the ->bind() callback and then
register_netdev(). usbnet_disconnect() mirrored that by first invoking
unregister_netdev() and then ->unbind().

Since the commit, the order in usbnet_disconnect() is reversed and no
longer mirrors usbnet_probe().

One consequence is that a PHY disconnected (and stopped) in ->unbind()
is afterwards stopped once more by unregister_netdev() as it closes the
netdev before unregistering. That necessitates a contortion in ->stop()
because the PHY may only be stopped if it hasn't already been
disconnected.

Reverting the commit allows making the call to phy_stop() unconditional
in ->stop().

Solution

no-fix-redhat-rpm-package

References

NVD-CVE-2022-49501

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today