CVE-2022-24958: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-24958 affects the Linux kernel through version 5.16.8, specifically in the drivers/usb/gadget/legacy/inode.c component where it mishandles dev->buf release. The vulnerability was discovered and disclosed on February 11, 2022 (NVD).

The vulnerability stems from improper handling of dev->buf release in the USB gadget filesystem interface. The issue occurs when dev->buf is released incorrectly in the dev_config function. Two patches were implemented to address this: one to prevent releasing an existing dev->buf, and another to properly clear related members when encountering a failure condition (Linux Kernel Commit, Linux Kernel Commit). The vulnerability has a CVSS v3 score of 7.8 (High) (Ubuntu Security).

The vulnerability can lead to a use-after-free condition, which could result in denial of service (system crash or memory corruption) or potentially allow privilege escalation. Local attackers with permission to configure USB gadgets could exploit this vulnerability (Debian LTS).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has fixed it across multiple versions including 21.10 (5.13.0-48.56), 20.04 LTS (5.4.0-117.132), and 18.04 LTS (4.15.0-177.186). Fedora has addressed it in kernel version 5.16.10 for both Fedora 34 and 35 (Fedora Update).