What is CVE-2022-48735?

CVE-2022-48735 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10, classified as a Use After Free flaw (CWE-416). CVE-2022-48735 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2022-48735?

CVE-2022-48735 has a CVSS score of 7.8 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Is there a patch available for CVE-2022-48735?

No patch is currently available for CVE-2022-48735. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2022-48735 actively exploited?

CVE-2022-48735 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Use After Free (CWE-416)?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/416.html

CVE-2022-48735

High

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix UAF of leds class devs at unbinding The LED class devices that are created by HD-audio codec drivers are registered via devm_led_classdev_register() and associated with the HD-audio codec device. Unfortunately, it turned out that the devres release doesn't work for this case; namely, since the codec resource release happens before the devm call chain, it triggers a NULL dereference or a UAF for a stale set_brightness_delay callback. For fixing the bug, this patch changes the LED class device register and unregister in a manual manner without devres, keeping the instances in hda_gen_spec.

Package Linux Kernel

Published 2024-06-20

Last modified 2025-05-23

CVSS version 3.1

Patch available

Awaiting data

CVSS 3.1 score

7.8

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness type

CWE-416

CVE-2022-48735 is a Use After Free vulnerability

What is Use After Free?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. Learn more on MITRE CWE

References

The following references provide additional information about CVE-2022-48735 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/0e629052f013eeb61494d4df2f1f647c2a9aef47
Patch
Kernel patch commit
https://git.kernel.org/stable/c/549f8ffc7b2f7561bea7f90930b6c5104318e87b
Patch
Kernel patch commit
https://git.kernel.org/stable/c/813e9f3e06d22e29872d4fd51b54992d89cf66c8
Patch

4 patch commits total View all on NVD

Details

CVE ID CVE-2022-48735

Severity High

CVSS score 7.8 / 10

CVSS version 3.1

Published 2024-06-20

Modified 2025-05-23

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2022-48735?

CVE-2022-48735 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 , classified as an Use After Free flaw (CWE-416) . CVE-2022-48735 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2022-48735?

CVE-2022-48735 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Is there a patch available for CVE-2022-48735?

No patch is currently available for CVE-2022-48735. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2022-48735 actively exploited?

No — CVE-2022-48735 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Use After Free (CWE-416)?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. View CWE-416 on MITRE CWE →