CVE-2022-50426: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-50426 is a vulnerability in the Linux kernel's remoteproc subsystem, specifically in the imx_dsp_rproc component, discovered and disclosed on October 1, 2025. The vulnerability affects the workqueue execution timing in relation to remoteproc stopping operations, potentially leading to kernel crashes (NVD, RedHat).

The vulnerability occurs when the workqueue executes late after remoteproc is stopped or stopping, causing access to already released resources (rpmsg device and endpoint) in rproc_stop_subdevices(). This leads to a kernel dump when rproc_vq_interrupt() attempts to access these released resources. The vulnerability has been assigned a CVSS v3.1 score of 6.0 with vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H (RedHat).

The vulnerability can cause kernel crashes when the workqueue attempts to access released resources during the remoteproc stopping process. This requires elevated privileges (CAP_SYS_ADMIN) to exploit, as it depends on the ability to stop/restart the DSP or send messages that trigger the virtqueue handler via remoteproc (RedHat).

The vulnerability has been resolved by adding mutex protection in imx_dsp_rproc_vq_work(). The fix includes skipping the call to rproc_vq_interrupt() if the state is not running. Additionally, the flush workqueue operation has been removed from rproc stop due to the same resource release concerns (NVD).