CVE-2022-1419: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-1419 is a race condition vulnerability discovered in the virtual graphics memory manager implementation of the Linux kernel. The vulnerability was discovered by Minh Yuan from Tsinghua University and disclosed on April 21, 2022. The issue affects Linux kernel versions up to (excluding) 5.6. The vulnerability exists in the vgem virtual GPU driver where the ioctl$DRMIOCTLMODEDESTROYDUMB can decrease refcount of drmvgemgemobject (created in vgemgemdumbcreate) concurrently, leading to a use-after-free condition (OSS Security, Ubuntu Security).

The vulnerability is caused by a race condition in the vgem virtual GPU driver. Specifically, when ioctl$DRMIOCTLMODEDESTROYDUMB decreases the reference count of drmvgemgemobject concurrently with vgemgemdumbcreate accessing the object, it can lead to a use-after-free condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can allow a local user with access to the GPU device to cause a denial of service (system crash or memory corruption) or potentially execute arbitrary code leading to privilege escalation. The impact is limited to systems where users have access to the virtual GPU device (Debian Security).

The vulnerability was fixed in Linux kernel version 5.6 rc2 through commit 4b848f2 (drm/vgem: Close use-after-free race in vgemgemcreate). Various Linux distributions have released patches for their respective kernel versions. For example, Ubuntu has released updates for affected versions including 16.04 LTS and 18.04 LTS (Ubuntu Security). Debian has also released security updates to address this vulnerability in their distributions (Debian Security).