CVE-2022-49046: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49046 is a vulnerability in the Linux kernel's I2C subsystem, discovered and disclosed in February 2025. The vulnerability specifically affects the device name setting functionality in the I2C device driver, where a failure to check the return value of devsetname() could lead to a null pointer dereference (NVD, Ubuntu).

The vulnerability exists in the i2c-dev.c file where the devsetname() function's return value was not being properly checked. If devsetname() fails, the devname() becomes null, which could lead to a null pointer dereference. This issue was introduced in a previous fix attempt related to race conditions between the release of i2cdev and cdev (Kernel Commit).

The vulnerability affects various Linux distributions and could potentially lead to system instability or crashes when interacting with I2C devices. Multiple Ubuntu versions including 22.04 LTS (jammy) and 20.04 LTS (focal) were marked as vulnerable (Ubuntu).

The issue has been patched in the Linux kernel through a commit that adds proper return value checking for devsetname(). The fix includes additional error handling code and proper cleanup in case of failure. The patch has been backported to various stable kernel versions (Kernel Patch).