{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-49555", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:08:31.590Z", "datePublished": "2025-02-26T02:14:03.150Z", "dateUpdated": "2026-05-11T19:02:12.772Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:02:12.772Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Use del_timer_sync() before freeing\n\nWhile looking at a crash report on a timer list being corrupted, which\nusually happens when a timer is freed while still active. This is\ncommonly triggered by code calling del_timer() instead of\ndel_timer_sync() just before freeing.\n\nOne possible culprit is the hci_qca driver, which does exactly that.\n\nEric mentioned that wake_retrans_timer could be rearmed via the work\nqueue, so also move the destruction of the work queue before\ndel_timer_sync()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/hci_qca.c"], "versions": [{"version": "0ff252c1976da5d80db1377eb39b551931e61826", "lessThan": "4989bb03342941f2b730b37dfa38bce27b543661", "status": "affected", "versionType": "git"}, {"version": "0ff252c1976da5d80db1377eb39b551931e61826", "lessThan": "db03727b4bbbbb36e6ef4cb655c670eefb6448e9", "status": "affected", "versionType": "git"}, {"version": "0ff252c1976da5d80db1377eb39b551931e61826", "lessThan": "37d17f63d085d601011964ade7371aeebeb6ed4b", "status": "affected", "versionType": "git"}, {"version": "0ff252c1976da5d80db1377eb39b551931e61826", "lessThan": "2717654ae022e6ea959a4b7b762702fe1a4690c2", "status": "affected", "versionType": "git"}, {"version": "0ff252c1976da5d80db1377eb39b551931e61826", "lessThan": "72ef98445aca568a81c2da050532500a8345ad3a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/hci_qca.c"], "versions": [{"version": "4.3", "status": "affected"}, {"version": "0", "lessThan": "4.3", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.120", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.45", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.13", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.2", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.10.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.15.45"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.17.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.18.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "5.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4989bb03342941f2b730b37dfa38bce27b543661"}, {"url": "https://git.kernel.org/stable/c/db03727b4bbbbb36e6ef4cb655c670eefb6448e9"}, {"url": "https://git.kernel.org/stable/c/37d17f63d085d601011964ade7371aeebeb6ed4b"}, {"url": "https://git.kernel.org/stable/c/2717654ae022e6ea959a4b7b762702fe1a4690c2"}, {"url": "https://git.kernel.org/stable/c/72ef98445aca568a81c2da050532500a8345ad3a"}], "title": "Bluetooth: hci_qca: Use del_timer_sync() before freeing", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F54DF9A7-F274-4785-8B1B-D8C960AD1DA9", "versionEndExcluding": "5.10.120", "versionStartIncluding": "4.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "08D699AD-F4CE-4BDD-A97E-4997299C7712", "versionEndExcluding": "5.15.45", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "192FC54B-5367-49D6-B410-0285F14665B1", "versionEndExcluding": "5.17.13", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9FF255A1-64F4-4E31-AF44-C92FB8773BA2", "versionEndExcluding": "5.18.2", "versionStartIncluding": "5.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Use del_timer_sync() before freeing\n\nWhile looking at a crash report on a timer list being corrupted, which\nusually happens when a timer is freed while still active. This is\ncommonly triggered by code calling del_timer() instead of\ndel_timer_sync() just before freeing.\n\nOne possible culprit is the hci_qca driver, which does exactly that.\n\nEric mentioned that wake_retrans_timer could be rearmed via the work\nqueue, so also move the destruction of the work queue before\ndel_timer_sync()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: hci_qca: usar del_timer_sync() antes de liberar Al mirar un informe de fallas en una lista de temporizadores que se est\u00e1 corrompiendo, lo que generalmente sucede cuando se libera un temporizador mientras a\u00fan est\u00e1 activo. Esto se activa com\u00fanmente por el c\u00f3digo que llama a del_timer() en lugar de del_timer_sync() justo antes de liberar. Un posible culpable es el controlador hci_qca, que hace exactamente eso. Eric mencion\u00f3 que wake_retrans_timer podr\u00eda volver a armarse a trav\u00e9s de la cola de trabajo, as\u00ed que tambi\u00e9n mueva la destrucci\u00f3n de la cola de trabajo antes de del_timer_sync()."}], "id": "CVE-2022-49555", "lastModified": "2025-10-22T17:31:42.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:01:31.313", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2717654ae022e6ea959a4b7b762702fe1a4690c2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/37d17f63d085d601011964ade7371aeebeb6ed4b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4989bb03342941f2b730b37dfa38bce27b543661"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/72ef98445aca568a81c2da050532500a8345ad3a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/db03727b4bbbbb36e6ef4cb655c670eefb6448e9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: hci_qca: Use del_timer_sync() before freeing", "id": "2348005", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348005"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: hci_qca: Use del_timer_sync() before freeing\nWhile looking at a crash report on a timer list being corrupted, which\nusually happens when a timer is freed while still active. This is\ncommonly triggered by code calling del_timer() instead of\ndel_timer_sync() just before freeing.\nOne possible culprit is the hci_qca driver, which does exactly that.\nEric mentioned that wake_retrans_timer could be rearmed via the work\nqueue, so also move the destruction of the work queue before\ndel_timer_sync()."], "name": "CVE-2022-49555", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49555\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49555\nhttps://lore.kernel.org/linux-cve-announce/2025022616-CVE-2022-49555-64d2@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-07-13T11:14:11.310772+00:00", "updated": "2025-07-13T11:14:11.310823+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}