CVE-2022-50542

In the Linux kernel, the following vulnerability has been resolved:

media: si470x: Fix use-after-free in si470x_int_in_callback()

syzbot reported use-after-free in si470x_int_in_callback() [1]. This indicates that urb->context, which contains struct si470x_device object, is freed when si470x_int_in_callback() is called.

The cause of this issue is that si470x_int_in_callback() is called for freed urb.

si470x_usb_driver_probe() calls si470x_start_usb(), which then calls usb_submit_urb() and si470x_start(). If si470x_start_usb() fails, si470x_usb_driver_probe() doesn't kill urb, but it just frees struct si470x_device object, as depicted below:

si470x_usb_driver_probe() ... si470x_start_usb() ... usb_submit_urb() retval = si470x_start() return retval if (retval < 0) free struct si470x_device object, but don't kill urb

This patch fixes this issue by killing urb when si470x_start_usb() fails and urb is submitted. If si470x_start_usb() fails and urb is not submitted, i.e. submitting usb fails, it just frees struct si470x_device object.

Published: Oct 7, 2025
Updated: Feb 5, 2026
CVE: CVE-2022-50542
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-416

Affected Software
References

Software	From	Fixed in
linux / linux_kernel	3.6	4.9.337
linux / linux_kernel	4.10	4.14.303
linux / linux_kernel	4.15	4.19.270
linux / linux_kernel	4.20	5.4.229
linux / linux_kernel	5.5	5.10.163
linux / linux_kernel	5.11	5.15.86
linux / linux_kernel	5.16	6.0.16
linux / linux_kernel	6.1	6.1.2

Vulnerability Database

324,382

CVE-2022-50542

Deep Security Visibility Without the Complexity