{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-27T15:12:20.950","vulnerabilities":[{"cve":{"id":"CVE-2022-50035","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-06-18T11:15:31.897","lastModified":"2025-11-13T18:42:44.033","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix use-after-free on amdgpu_bo_list mutex\n\nIf amdgpu_cs_vm_handling returns r != 0, then it will unlock the\nbo_list_mutex inside the function amdgpu_cs_vm_handling and again on\namdgpu_cs_parser_fini. This problem results in the following\nuse-after-free problem:\n\n[ 220.280990] ------------[ cut here ]------------\n[ 220.281000] refcount_t: underflow; use-after-free.\n[ 220.281019] WARNING: CPU: 1 PID: 3746 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110\n[ 220.281029] ------------[ cut here ]------------\n[ 220.281415] CPU: 1 PID: 3746 Comm: chrome:cs0 Tainted: G W L ------- --- 5.20.0-0.rc0.20220812git7ebfc85e2cd7.10.fc38.x86_64 #1\n[ 220.281421] Hardware name: System manufacturer System Product Name/ROG STRIX X570-I GAMING, BIOS 4403 04/27/2022\n[ 220.281426] RIP: 0010:refcount_warn_saturate+0xba/0x110\n[ 220.281431] Code: 01 01 e8 79 4a 6f 00 0f 0b e9 42 47 a5 00 80 3d de\n7e be 01 00 75 85 48 c7 c7 f8 98 8e 98 c6 05 ce 7e be 01 01 e8 56 4a\n6f 00 <0f> 0b e9 1f 47 a5 00 80 3d b9 7e be 01 00 0f 85 5e ff ff ff 48\nc7\n[ 220.281437] RSP: 0018:ffffb4b0d18d7a80 EFLAGS: 00010282\n[ 220.281443] RAX: 0000000000000026 RBX: 0000000000000003 RCX: 0000000000000000\n[ 220.281448] RDX: 0000000000000001 RSI: ffffffff988d06dc RDI: 00000000ffffffff\n[ 220.281452] RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffb4b0d18d7930\n[ 220.281457] R10: 0000000000000003 R11: ffffa0672e2fffe8 R12: ffffa058ca360400\n[ 220.281461] R13: ffffa05846c50a18 R14: 00000000fffffe00 R15: 0000000000000003\n[ 220.281465] FS: 00007f82683e06c0(0000) GS:ffffa066e2e00000(0000) knlGS:0000000000000000\n[ 220.281470] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 220.281475] CR2: 00003590005cc000 CR3: 00000001fca46000 CR4: 0000000000350ee0\n[ 220.281480] Call Trace:\n[ 220.281485] <TASK>\n[ 220.281490] amdgpu_cs_ioctl+0x4e2/0x2070 [amdgpu]\n[ 220.281806] ? amdgpu_cs_find_mapping+0xe0/0xe0 [amdgpu]\n[ 220.282028] drm_ioctl_kernel+0xa4/0x150\n[ 220.282043] drm_ioctl+0x21f/0x420\n[ 220.282053] ? amdgpu_cs_find_mapping+0xe0/0xe0 [amdgpu]\n[ 220.282275] ? lock_release+0x14f/0x460\n[ 220.282282] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[ 220.282290] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[ 220.282297] ? lockdep_hardirqs_on+0x7d/0x100\n[ 220.282305] ? _raw_spin_unlock_irqrestore+0x40/0x60\n[ 220.282317] amdgpu_drm_ioctl+0x4a/0x80 [amdgpu]\n[ 220.282534] __x64_sys_ioctl+0x90/0xd0\n[ 220.282545] do_syscall_64+0x5b/0x80\n[ 220.282551] ? futex_wake+0x6c/0x150\n[ 220.282568] ? lock_is_held_type+0xe8/0x140\n[ 220.282580] ? do_syscall_64+0x67/0x80\n[ 220.282585] ? lockdep_hardirqs_on+0x7d/0x100\n[ 220.282592] ? do_syscall_64+0x67/0x80\n[ 220.282597] ? do_syscall_64+0x67/0x80\n[ 220.282602] ? lockdep_hardirqs_on+0x7d/0x100\n[ 220.282609] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 220.282616] RIP: 0033:0x7f8282a4f8bf\n[ 220.282639] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10\n00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00\n0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00\n00\n[ 220.282644] RSP: 002b:00007f82683df410 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 220.282651] RAX: ffffffffffffffda RBX: 00007f82683df588 RCX: 00007f8282a4f8bf\n[ 220.282655] RDX: 00007f82683df4d0 RSI: 00000000c0186444 RDI: 0000000000000018\n[ 220.282659] RBP: 00007f82683df4d0 R08: 00007f82683df5e0 R09: 00007f82683df4b0\n[ 220.282663] R10: 00001d04000a0600 R11: 0000000000000246 R12: 00000000c0186444\n[ 220.282667] R13: 0000000000000018 R14: 00007f82683df588 R15: 0000000000000003\n[ 220.282689] </TASK>\n[ 220.282693] irq event stamp: 6232311\n[ 220.282697] hardirqs last enabled at (6232319): [<ffffffff9718cd7e>] __up_console_sem+0x5e/0x70\n[ 220.282704] hardirqs last disabled at (6232326): [<ffffffff9718cd63>] __up_console_sem+0x43/0x70\n[ 220.282709] softirqs last enabled at (6232072): [<ffffffff970ff669>] __irq_exit_rcu+0xf9/0x170\n[ 220.282716] softirqs last disabled at (6232061): [<ffffffff97\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: Se corrige el Use-After-Free en el mutex amdgpu_bo_list. Si amdgpu_cs_vm_handling devuelve r != 0, se desbloqueará el mutex bo_list dentro de la función amdgpu_cs_vm_handling y de nuevo en amdgpu_cs_parser_fini. Este problema genera el siguiente problema de Use-After-Free: [ 220.280990] ------------[ corte aquí ]------------ [ 220.281000] refcount_t: desbordamiento; Use-After-Free. [ 220.281019] ADVERTENCIA: CPU: 1 PID: 3746 en lib/refcount.c:28 refcount_warn_saturate+0xba/0x110 [ 220.281029] ------------[ cortar aquí ]------------ [ 220.281415] CPU: 1 PID: 3746 Comm: chrome:cs0 Tainted: GWL ------- --- 5.20.0-0.rc0.20220812git7ebfc85e2cd7.10.fc38.x86_64 #1 [ 220.281421] Nombre del hardware: Fabricante del sistema Nombre del producto del sistema/ROG STRIX X570-I GAMING, BIOS 4403 27/04/2022 [ 220.281426] RIP: 0010:refcount_warn_saturate+0xba/0x110 [ 220.281431] Código: 01 01 e8 79 4a 6f 00 0f 0b e9 42 47 a5 00 80 3d de 7e be 01 00 75 85 48 c7 c7 f8 98 8e 98 c6 05 ce 7e be 01 01 e8 56 4a 6f 00 &lt;0f&gt; 0b e9 1f 47 a5 00 80 3d b9 7e be 01 00 0f 85 5e ff ff ff 48 c7 [ 220.281437] RSP: 0018:ffffb4b0d18d7a80 EFLAGS: 00010282 [ 220.281443] RAX: 00000000000000026 RBX: 0000000000000003 RCX: 00000000000000000 [ 220.281448] RDX: 0000000000000001 RSI: ffffffff988d06dc RDI: 00000000ffffffff [ 220.281452] RBP: 00000000ffffffff R08: 00000000000000000 R09: ffffb4b0d18d7930 [220.281457] R10: 00000000000000003 R11: ffffa0672e2fffe8 R12: ffffa058ca360400 [ 220.281461] R13: ffffa05846c50a18 R14: 00000000fffffe00 R15: 000000000000003 [ 220.281465] FS: 00007f82683e06c0(0000) GS:ffffa066e2e00000(0000) knlGS:0000000000000000 [ 220.281470] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 220.281475] CR2: 00003590005cc000 CR3: 00000001fca46000 CR4: 0000000000350ee0 [ 220.281480] Seguimiento de llamadas: [ 220.281485]  [ 220.281490] amdgpu_cs_ioctl+0x4e2/0x2070 [amdgpu] [ 220.281806] ? amdgpu_cs_find_mapping+0xe0/0xe0 [amdgpu] [ 220.282028] drm_ioctl_kernel+0xa4/0x150 [ 220.282043] drm_ioctl+0x21f/0x420 [ 220.282053] ? amdgpu_cs_find_mapping+0xe0/0xe0 [amdgpu] [ 220.282275] ? lock_release+0x14f/0x460 [ 220.282282] ? _raw_spin_unlock_irqrestore+0x30/0x60 [ 220.282290] ? _raw_spin_unlock_irqrestore+0x30/0x60 [ 220.282297] ? lockdep_hardirqs_on+0x7d/0x100 [ 220.282305] ? _raw_spin_unlock_irqrestore+0x40/0x60 [ 220.282317] amdgpu_drm_ioctl+0x4a/0x80 [amdgpu] [ 220.282534] __x64_sys_ioctl+0x90/0xd0 [ 220.282545] do_syscall_64+0x5b/0x80 [ 220.282551] ? futex_wake+0x6c/0x150 [ 220.282568] ? lock_is_held_type+0xe8/0x140 [ 220.282580] ? do_syscall_64+0x67/0x80 [ 220.282585] ? lockdep_hardirqs_on+0x7d/0x100 [ 220.282592] ? do_syscall_64+0x67/0x80 [ 220.282597] ? do_syscall_64+0x67/0x80 [ 220.282602] ? lockdep_hardirqs_on+0x7d/0x100 [ 220.282609] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 220.282616] RIP: 0033:0x7f8282a4f8bf [ 220.282639] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 &lt;89&gt; c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 220.282644] RSP: 002b:00007f82683df410 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 220.282651] RAX: ffffffffffffffda RBX: 00007f82683df588 RCX: 00007f8282a4f8bf [ 220.282655] RDX: 00007f82683df4d0 RSI: 00000000c0186444 RDI: 0000000000000018 [ 220.282659] RBP: 00007f82683df4d0 R08: 00007f82683df5e0 R09: 00007f82683df4b0 [ 220.282663] R10: 00001d04000a0600 R11: 0000000000000246 R12: 00000000c0186444 [ 220.282667] R13: 0000000000000018 R14: 00007f82683df588 R15: 0000000000000003 [ 220.282689]  [ 220.282693] marca de evento irq: 6232311 [ 220.282697] hardirqs se habilitaron por última vez en (6232319): [] __up_console_sem+0x5e/0x70 [ 220.282704] hardirqs se deshabilitaron por última vez en (6232326): [] __up_console_sem+0x43/0x70 [ 220.282709] softirqs se habilitaron por última vez en (6232072): [] __irq_exit_rcu+0xf9/0x170 [ 220.282716] softirqs ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19.1","versionEndExcluding":"5.19.4","matchCriteriaId":"5C857EF4-99EB-49A6-8FCF-019E3DADA251"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.19:-:*:*:*:*:*:*","matchCriteriaId":"9D759CCF-9E1B-41B2-81AA-CB580C5F3EEC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.19:rc8:*:*:*:*:*:*","matchCriteriaId":"2CF5D19C-C418-4B57-B52D-7795547F4096"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*","matchCriteriaId":"E8BD11A3-8643-49B6-BADE-5029A0117325"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1b38e3b423f0bb41ee6abae5ca9deec1546ba227","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bbca24d0a3c11193bafb9e174f89f52a379006e3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}