{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49823","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-05-01T14:05:17.227Z","datePublished":"2025-05-01T14:09:44.205Z","dateUpdated":"2026-05-11T19:07:27.701Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:07:27.701Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-transport: fix error handling in ata_tdev_add()\n\nIn ata_tdev_add(), the return value of transport_add_device() is\nnot checked. As a result, it causes null-ptr-deref while removing\nthe module, because transport_remove_device() is called to remove\nthe device that was not added.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\nCPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G        W          6.1.0-rc3+ #36\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x48/0x3a0\nlr : device_del+0x44/0x3a0\nCall trace:\n device_del+0x48/0x3a0\n attribute_container_class_device_del+0x28/0x40\n transport_remove_classdev+0x60/0x7c\n attribute_container_device_trigger+0x118/0x120\n transport_remove_device+0x20/0x30\n ata_tdev_delete+0x24/0x50 [libata]\n ata_tlink_delete+0x40/0xa0 [libata]\n ata_tport_delete+0x2c/0x60 [libata]\n ata_port_detach+0x148/0x1b0 [libata]\n ata_pci_remove_one+0x50/0x80 [libata]\n ahci_remove_one+0x4c/0x8c [ahci]\n\nFix this by checking and handling return value of transport_add_device()\nin ata_tdev_add(). In the error path, device_del() is called to delete\nthe device which was added earlier in this function, and ata_tdev_free()\nis called to free ata_dev."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/ata/libata-transport.c"],"versions":[{"version":"d9027470b88631d0956ac37cdadfdeb9cdcf2c99","lessThan":"ef2ac07ab83163b9a53f45da20e14302591ad9cc","status":"affected","versionType":"git"},{"version":"d9027470b88631d0956ac37cdadfdeb9cdcf2c99","lessThan":"f23058dc2398db1d8faca9a2b1ce30b85cdd8b22","status":"affected","versionType":"git"},{"version":"d9027470b88631d0956ac37cdadfdeb9cdcf2c99","lessThan":"f54331962883f4fc4bf5e487e6e7cf07c4567fef","status":"affected","versionType":"git"},{"version":"d9027470b88631d0956ac37cdadfdeb9cdcf2c99","lessThan":"1ff36351309e3eadcff297480baf4785e726de9b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/ata/libata-transport.c"],"versions":[{"version":"2.6.37","status":"affected"},{"version":"0","lessThan":"2.6.37","status":"unaffected","versionType":"semver"},{"version":"5.10.156","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.80","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.10","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.37","versionEndExcluding":"5.10.156"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.37","versionEndExcluding":"5.15.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.37","versionEndExcluding":"6.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.37","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ef2ac07ab83163b9a53f45da20e14302591ad9cc"},{"url":"https://git.kernel.org/stable/c/f23058dc2398db1d8faca9a2b1ce30b85cdd8b22"},{"url":"https://git.kernel.org/stable/c/f54331962883f4fc4bf5e487e6e7cf07c4567fef"},{"url":"https://git.kernel.org/stable/c/1ff36351309e3eadcff297480baf4785e726de9b"}],"title":"ata: libata-transport: fix error handling in ata_tdev_add()","x_generator":{"engine":"bippy-1.2.0"}}}}