CVE-2022-49389

In the Linux kernel, the following vulnerability has been resolved:

usb: usbip: fix a refcount leak in stub_probe()

usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails
after that, usb_put_dev() needs to be called to release the reference.

Fix this by moving usb_put_dev() to sdev_free error path handling.

Find this by code review.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
LinuxCNA
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
VendorProductVersion
linuxlinux_kernel
3.16.58 ≤
𝑥
< 3.17
linuxlinux_kernel
3.18.110 ≤
𝑥
< 4.9.318
linuxlinux_kernel
4.10 ≤
𝑥
< 4.14.283
linuxlinux_kernel
4.15 ≤
𝑥
< 4.19.247
linuxlinux_kernel
4.20 ≤
𝑥
< 5.4.198
linuxlinux_kernel
5.5 ≤
𝑥
< 5.10.122
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.47
linuxlinux_kernel
5.16 ≤
𝑥
< 5.17.15
linuxlinux_kernel
5.18 ≤
𝑥
< 5.18.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.234-1
fixed
bookworm
6.1.123-1
fixed
bookworm (security)
6.1.128-1
fixed
trixie
6.12.12-1
fixed
sid
6.12.16-1
fixed
References
https://git.kernel.org/stable/c/11c65408bd0ba1d9cd1307caa38169292de9cdfb
https://git.kernel.org/stable/c/247d3809e45a34d9e1a3a2bb7012e31ed8b46031
https://git.kernel.org/stable/c/2f0ae93ec33c8456cdfbf7876b80403a6318ebce
https://git.kernel.org/stable/c/51422046be504515eb5a591adf0f424b62f46804
https://git.kernel.org/stable/c/6bafee2f18af5e5ac125e42960bc65496d0e56a0
https://git.kernel.org/stable/c/8afb048800919d0ab10c57983940eba956339f21
https://git.kernel.org/stable/c/9ec4cbf1cc55d126759051acfe328d489c5d6e60
https://git.kernel.org/stable/c/bcbb795a9e78180d74c6ab21518da87e803dfdce
https://git.kernel.org/stable/c/f20d2d3b3364ce6525c050a8b6b4c54c8c19674d