CVE-2022-1974: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-1974 is a use-after-free vulnerability discovered in the Linux kernel's NFC core functionality. The flaw stems from a race condition between kobject creation and deletion operations. This vulnerability was disclosed in June 2022 and affects various Linux kernel versions across multiple distributions (Ubuntu Security, Debian Security).

The vulnerability arises from an improper check using deviceisregistered() in netlink-related functions within the NFC subsystem. The race condition occurs because kobjectdel() in devicedel() is not protected by devicelock, leading to potential use-after-free scenarios. The issue specifically affects functions such as nfcfwdownload(), nfcdev_up(), and other NFC core operations. The vulnerability has been assigned a CVSS 3 Severity Score of 4.1 (Medium) (Ubuntu Security).

This vulnerability allows a local attacker with CAPNETADMIN privileges to leak kernel information, potentially compromising system security. The flaw could lead to information disclosure and possible system instability (CVE Mitre).

The issue has been fixed through a patch that replaces the improper deviceisregistered() check with a boolean variable to properly synchronize the NFC device registration state. Multiple Linux distributions have released patches, including Ubuntu (versions 22.04 LTS, 20.04 LTS, 18.04 LTS, and 16.04 LTS) and Debian (bullseye, bookworm, and sid) (Github Linux, Debian Security).