CVE-2022-49010: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49010 is a vulnerability in the Linux kernel's hardware monitoring (hwmon) subsystem, specifically in the coretemp driver. The vulnerability was discovered in 2022 and affects Linux kernel versions from 3.0 through 6.1-rc7. The issue occurs when coretemp_add_core() encounters an error, leading to a potential NULL pointer dereference (NVD).

The vulnerability stems from a NULL pointer dereference in the coretemp driver's core removal function. When coretemp_add_core() encounters an error, pdata->core_data[indx] is set to NULL and freed, but the code still attempts to call sysfs_remove_group() on this NULL pointer. This can lead to a kernel crash when the system attempts to access the invalid memory address. The issue is triggered during CPU offline operations, as evidenced by the call trace showing coretemp_cpu_offline in the execution path (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can result in a kernel crash due to NULL pointer dereference, potentially causing system instability or denial of service. The impact is limited to availability, with no direct effects on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed by adding a NULL pointer check before calling sysfs_remove_group(). The fix has been implemented in various kernel versions and is available through distribution-specific updates. For Red Hat Enterprise Linux, the fix is included in RHEL-9.2 and above (including RHEL 8.10) (Red Hat).