[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2022-49943":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":39,"aliases":40,"duplicate_of":9,"upstream":41,"downstream":42,"duplicates":67,"related":68,"reserved_at":9,"published_at":78,"modified_at":79,"state":80,"summary":81,"references_raw":90,"kevs":101,"epss":102,"epss_history":105,"metrics":374,"affected":380},"CVE-2022-49943","In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix obscure lockdep violation for udc_mutex\n\nA recent commit expanding the scope of the udc_lock mutex in the\ngadget core managed to cause an obscure and slightly bizarre lockdep\nviolation.  In abbreviated form:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.19.0-rc7+ #12510 Not tainted\n------------------------------------------------------\nudevadm/312 is trying to acquire lock:\nffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0\n\nbut task is already holding lock:\nffff000002277548 (kn->active#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 (kn->active#4){++++}-{0:0}:\n        lock_acquire+0x68/0x84\n        __kernfs_remove+0x268/0x380\n        kernfs_remove_by_name_ns+0x58/0xac\n        sysfs_remove_file_ns+0x18/0x24\n        device_del+0x15c/0x440\n\n-> #2 (device_links_lock){+.+.}-{3:3}:\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        device_link_remove+0x3c/0xa0\n        _regulator_put.part.0+0x168/0x190\n        regulator_put+0x3c/0x54\n        devm_regulator_release+0x14/0x20\n\n-> #1 (regulator_list_mutex){+.+.}-{3:3}:\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        regulator_lock_dependent+0x54/0x284\n        regulator_enable+0x34/0x80\n        phy_power_on+0x24/0x130\n        __dwc2_lowlevel_hw_enable+0x100/0x130\n        dwc2_lowlevel_hw_enable+0x18/0x40\n        dwc2_hsotg_udc_start+0x6c/0x2f0\n        gadget_bind_driver+0x124/0x1f4\n\n-> #0 (udc_lock){+.+.}-{3:3}:\n        __lock_acquire+0x1298/0x20cc\n        lock_acquire.part.0+0xe0/0x230\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        usb_udc_uevent+0x54/0xe0\n\nEvidently this was caused by the scope of udc_mutex being too large.\nThe mutex is only meant to protect udc->driver along with a few other\nthings.  As far as I can tell, there's no reason for the mutex to be\nheld while the gadget core calls a gadget driver's ->bind or ->unbind\nroutine, or while a UDC is being started or stopped.  (This accounts\nfor link #1 in the chain above, where the mutex is held while the\ndwc2_hsotg_udc is started as part of driver probing.)\n\nGadget drivers' ->disconnect callbacks are problematic.  Even though\nusb_gadget_disconnect() will now acquire the udc_mutex, there's a\nwindow in usb_gadget_bind_driver() between the times when the mutex is\nreleased and the ->bind callback is invoked.  If a disconnect occurred\nduring that window, we could call the driver's ->disconnect routine\nbefore its ->bind routine.  To prevent this from happening, it will be\nnecessary to prevent a UDC from connecting while it has no gadget\ndriver.  This should be done already but it doesn't seem to be;\ncurrently usb_gadget_connect() has no check for this.  Such a check\nwill have to be added later.\n\nSome degree of mutual exclusion is required in soft_connect_store(),\nwhich can dereference udc->driver at arbitrary times since it is a\nsysfs callback.  The solution here is to acquire the gadget's device\nlock rather than the udc_mutex.  Since the driver core guarantees that\nthe device lock is always held during driver binding and unbinding,\nthis will make the accesses in soft_connect_store() mutually exclusive\nwith any changes to udc->driver.\n\nLastly, it turns out there is one place which should hold the\nudc_mutex but currently does not: The function_show() routine needs\nprotection while it dereferences udc->driver.  The missing lock and\nunlock calls are added.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-667","Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.","weakness","Draft","Class",[19,31,35],{"id":20,"name":21,"techniques":22},"CAPEC-25","Forced Deadlock",[23],{"id":24,"name":25,"tactics":26,"countermeasures":30},"T1499.004","Application or System Exploitation",[27],{"id":28,"name":29},"TA0105","Impact",[],{"id":32,"name":33,"techniques":34},"CAPEC-26","Leveraging Race Conditions",[],{"id":36,"name":37,"techniques":38},"CAPEC-27","Leveraging Race Conditions via Symbolic Links",[],[],[],[],[43,45,47,49,51,53,55,57,59,61,63,65],{"_key":44},"SUSE-SU-2025:02264-1",{"_key":46},"SUSE-SU-2026:0617-1",{"_key":48},"SUSE-SU-2025:02321-1",{"_key":50},"SUSE-SU-2026:0473-1",{"_key":52},"SUSE-SU-2026:0474-1",{"_key":54},"SUSE-SU-2026:0475-1",{"_key":56},"SUSE-SU-2026:0495-1",{"_key":58},"SUSE-SU-2026:0496-1",{"_key":60},"SUSE-SU-2026:1131-1",{"_key":62},"DEBIAN-CVE-2022-49943",{"_key":64},"RHSA-2023:2458",{"_key":66},"UBUNTU-CVE-2022-49943",[],[69,70,71,72,73,74,75,76,77],{"_key":44},{"_key":46},{"_key":48},{"_key":50},{"_key":52},{"_key":54},{"_key":56},{"_key":58},{"_key":60},"2025-06-18T10:59:58.516Z","2026-05-11T19:09:40.620Z","Analyzed",{"cisa_kev":82,"cisa_ransomware":82,"cisa_vendor":9,"epss_severity":83,"epss_score":84,"severity":85,"severity_score":86,"severity_version":87,"severity_source":88,"severity_vector":89,"severity_status":80},false,"low",0.00057,"medium",5.5,"v3.1","nvd","CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",[91,97],{"url":92,"sources":93,"tags":95},"https://git.kernel.org/stable/c/1a065e4673cbdd9f222a05f85e17d78ea50c8d9c",[94,88],"cve.org",[96],"Patch",{"url":98,"sources":99,"tags":100},"https://git.kernel.org/stable/c/1016fc0c096c92dd0e6e0541daac7a7868169903",[94,88],[96],[],{"date":103,"score":84,"percentile":104},"2026-06-03",0.18041,[106,110,113,116,119,122,125,128,131,134,137,140,144,147,150,153,156,159,163,166,169,172,175,179,182,185,188,191,194,197,200,203,206,209,212,215,218,221,224,227,230,233,236,239,242,244,247,249,252,255,258,261,264,267,270,272,275,278,280,283,286,288,291,294,296,299,302,305,308,311,315,318,321,324,327,330,333,336,339,342,345,348,351,354,357,359,362,365,368,371],{"date":107,"score":108,"percentile":109},"2025-11-04",0.00035,0.09609,{"date":111,"score":108,"percentile":112},"2025-11-05",0.09633,{"date":114,"score":108,"percentile":115},"2025-11-06",0.09752,{"date":117,"score":108,"percentile":118},"2025-11-07",0.09772,{"date":120,"score":108,"percentile":121},"2025-11-08",0.09785,{"date":123,"score":108,"percentile":124},"2025-11-09",0.0976,{"date":126,"score":108,"percentile":127},"2025-11-10",0.09722,{"date":129,"score":108,"percentile":130},"2025-11-11",0.09736,{"date":132,"score":108,"percentile":133},"2025-11-12",0.09763,{"date":135,"score":108,"percentile":136},"2025-11-13",0.09808,{"date":138,"score":108,"percentile":139},"2025-11-14",0.0982,{"date":141,"score":142,"percentile":143},"2025-11-15",0.00019,0.0365,{"date":145,"score":142,"percentile":146},"2025-11-16",0.03647,{"date":148,"score":142,"percentile":149},"2025-11-17",0.03629,{"date":151,"score":142,"percentile":152},"2025-11-18",0.02328,{"date":154,"score":142,"percentile":155},"2025-11-19",0.02361,{"date":157,"score":142,"percentile":158},"2025-11-20",0.02396,{"date":160,"score":161,"percentile":162},"2025-11-21",0.00012,0.01316,{"date":164,"score":161,"percentile":165},"2025-11-22",0.01313,{"date":167,"score":161,"percentile":168},"2025-11-23",0.01301,{"date":170,"score":161,"percentile":171},"2025-11-24",0.01294,{"date":173,"score":161,"percentile":174},"2025-11-25",0.0129,{"date":176,"score":177,"percentile":178},"2025-11-26",0.00014,0.01908,{"date":180,"score":177,"percentile":181},"2025-11-27",0.01907,{"date":183,"score":177,"percentile":184},"2025-11-28",0.01904,{"date":186,"score":177,"percentile":187},"2025-11-29",0.01952,{"date":189,"score":177,"percentile":190},"2025-11-30",0.0196,{"date":192,"score":177,"percentile":193},"2025-12-01",0.01993,{"date":195,"score":177,"percentile":196},"2025-12-02",0.01992,{"date":198,"score":177,"percentile":199},"2025-12-03",0.02001,{"date":201,"score":177,"percentile":202},"2025-12-04",0.01971,{"date":204,"score":177,"percentile":205},"2025-12-05",0.01982,{"date":207,"score":177,"percentile":208},"2025-12-06",0.01986,{"date":210,"score":177,"percentile":211},"2025-12-07",0.01983,{"date":213,"score":177,"percentile":214},"2025-12-08",0.01985,{"date":216,"score":177,"percentile":217},"2025-12-09",0.02002,{"date":219,"score":177,"percentile":220},"2025-12-10",0.02033,{"date":222,"score":177,"percentile":223},"2025-12-11",0.02029,{"date":225,"score":177,"percentile":226},"2025-12-12",0.02034,{"date":228,"score":177,"percentile":229},"2025-12-13",0.02017,{"date":231,"score":177,"percentile":232},"2025-12-14",0.02019,{"date":234,"score":177,"percentile":235},"2025-12-15",0.0201,{"date":237,"score":177,"percentile":238},"2025-12-16",0.02006,{"date":240,"score":177,"percentile":241},"2025-12-17",0.02021,{"date":243,"score":177,"percentile":232},"2025-12-18",{"date":245,"score":177,"percentile":246},"2025-12-19",0.0202,{"date":248,"score":177,"percentile":246},"2025-12-20",{"date":250,"score":177,"percentile":251},"2025-12-21",0.02032,{"date":253,"score":177,"percentile":254},"2025-12-22",0.0203,{"date":256,"score":177,"percentile":257},"2025-12-23",0.02031,{"date":259,"score":177,"percentile":260},"2025-12-24",0.02039,{"date":262,"score":177,"percentile":263},"2025-12-25",0.02045,{"date":265,"score":177,"percentile":266},"2025-12-26",0.0205,{"date":268,"score":177,"percentile":269},"2025-12-27",0.02026,{"date":271,"score":177,"percentile":266},"2025-12-28",{"date":273,"score":177,"percentile":274},"2025-12-29",0.02041,{"date":276,"score":177,"percentile":277},"2025-12-30",0.02035,{"date":279,"score":177,"percentile":257},"2025-12-31",{"date":281,"score":177,"percentile":282},"2026-01-01",0.02053,{"date":284,"score":177,"percentile":285},"2026-01-02",0.02051,{"date":287,"score":177,"percentile":282},"2026-01-03",{"date":289,"score":177,"percentile":290},"2026-01-04",0.02018,{"date":292,"score":177,"percentile":293},"2026-01-05",0.02025,{"date":295,"score":177,"percentile":241},"2026-01-06",{"date":297,"score":177,"percentile":298},"2026-01-07",0.02038,{"date":300,"score":177,"percentile":301},"2026-01-08",0.02056,{"date":303,"score":177,"percentile":304},"2026-01-09",0.02072,{"date":306,"score":177,"percentile":307},"2026-01-10",0.02086,{"date":309,"score":177,"percentile":310},"2026-01-11",0.02076,{"date":312,"score":313,"percentile":314},"2026-01-12",0.00015,0.02495,{"date":316,"score":313,"percentile":317},"2026-01-13",0.02486,{"date":319,"score":313,"percentile":320},"2026-01-14",0.02488,{"date":322,"score":313,"percentile":323},"2026-01-15",0.0248,{"date":325,"score":313,"percentile":326},"2026-01-16",0.02479,{"date":328,"score":313,"percentile":329},"2026-01-17",0.02483,{"date":331,"score":313,"percentile":332},"2026-01-18",0.02487,{"date":334,"score":313,"percentile":335},"2026-01-19",0.02475,{"date":337,"score":313,"percentile":338},"2026-01-20",0.02462,{"date":340,"score":313,"percentile":341},"2026-01-21",0.02454,{"date":343,"score":313,"percentile":344},"2026-01-22",0.02452,{"date":346,"score":313,"percentile":347},"2026-01-23",0.02459,{"date":349,"score":313,"percentile":350},"2026-01-24",0.02482,{"date":352,"score":313,"percentile":353},"2026-01-25",0.02478,{"date":355,"score":313,"percentile":356},"2026-01-26",0.02474,{"date":358,"score":313,"percentile":356},"2026-01-27",{"date":360,"score":313,"percentile":361},"2026-01-28",0.02477,{"date":363,"score":313,"percentile":364},"2026-01-29",0.02498,{"date":366,"score":313,"percentile":367},"2026-01-30",0.02508,{"date":369,"score":313,"percentile":370},"2026-01-31",0.0253,{"date":372,"score":313,"percentile":373},"2026-02-01",0.02591,[375],{"source":88,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":376,"cvss_v4_0":9},{"baseScore":86,"baseSeverity":377,"vectorString":89,"impactScore":378,"exploitabilityScore":379},"MEDIUM",6,4.6,[381,401],{"ecosystem":9,"name":382,"vendor":383,"product":383,"cpe_part":384,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":385},"Linux","linux","a",[386,393,397],{"version":387,"is_range":388,"range_type":94,"version_start":389,"version_start_type":390,"version_end":391,"version_end_type":392,"fixed_in":9},">= f44b0b95d50fffeca036e1ba36770390e0b519dd, \u003C 1a065e4673cbdd9f222a05f85e17d78ea50c8d9c",true,"f44b0b95d50fffeca036e1ba36770390e0b519dd","including","1a065e4673cbdd9f222a05f85e17d78ea50c8d9c","excluding",{"version":394,"is_range":388,"range_type":94,"version_start":395,"version_start_type":390,"version_end":396,"version_end_type":392,"fixed_in":9},">= 2191c00855b03aa59c20e698be713d952d51fc18, \u003C 1016fc0c096c92dd0e6e0541daac7a7868169903","2191c00855b03aa59c20e698be713d952d51fc18","1016fc0c096c92dd0e6e0541daac7a7868169903",{"version":398,"is_range":388,"range_type":94,"version_start":399,"version_start_type":390,"version_end":400,"version_end_type":392,"fixed_in":9},">= 5.19.7, \u003C 5.19.8","5.19.7","5.19.8",{"ecosystem":9,"name":402,"vendor":383,"product":403,"cpe_part":404,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":405},"linux kernel","linux_kernel","o",[406,408,410,412],{"version":399,"is_range":82,"range_type":407,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"cpe",{"version":409,"is_range":82,"range_type":407,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"6.0:rc1",{"version":411,"is_range":82,"range_type":407,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"6.0:rc2",{"version":413,"is_range":82,"range_type":407,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"6.0:rc3"]