CVE-2022-28388: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-28388 is a double free vulnerability discovered in the Linux kernel through version 5.17.1, specifically affecting the usb8devstartxmit function in drivers/net/can/usb/usb8dev.c. The vulnerability was disclosed in April 2022 and affects the USB2CAN interface implementation (NVD, Debian Security).

The vulnerability is classified as a double free condition (CWE-415) in the USB2CAN interface driver. The issue occurs in the usb8devstartxmit function where there is an unnecessary call to devkfreeskb() when usbsubmiturb() fails, as canputechoskb() already deletes the original skb and canfreeecho_skb() deletes the cloned skb (Linux Commit). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability could lead to a denial of service condition through system crash. The vulnerability requires local access and low privileges to exploit (NetApp Advisory).

The vulnerability has been fixed in multiple Linux distributions. Debian has addressed it in version 5.10.113-1 for bullseye (DSA-5127-1). Fedora has released fixes in kernel versions 5.16.19-200.fc35, 5.17.2-300.fc36, and 5.16.19-100.fc34 (Fedora Updates).