CVE-2022-44032 - Race Condition and Use-After-Free in Linux Kernel’s cm400_cs PCMCIA Driver

In this exclusive deep-dive, we’ll break down CVE-2022-44032—a vulnerability that hits the Linux kernel PCMCIA driver, specifically cm400_cs (through version 6..6). This flaw puts physically proximate attackers in the position to crash your machine or possibly run malicious code, simply by pulling out a PCMCIA smart card device at the right moment.

We’ll explain the background, show some code, guide you through the exploit details, and provide key resources. All in simple language.

What is CVE-2022-44032?

CVE-2022-44032 exposes a race condition in the Linux kernel driver cm400_cs. This is the driver for Schlumberger Cryptoflex/E-Gate Cyberflex 32k PCMCIA smart cards.

The problem occurs when one process is opening the device while, at the same time, the PCMCIA device is physically removed. This situation can lead to what's called a use-after-free bug—accessing memory after it has already been deleted, which is dangerous in kernel space.

Official summary

> An issue was discovered in the Linux kernel through 6..6. drivers/char/pcmcia/cm400_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm400_detach().

Use-after-free vulnerabilities in the kernel are especially serious

- Crash/Denial of service: The kernel may panic.

Privilege escalation: In some cases, an attacker could get kernel-level access.

- Physical proximity: This bug *requires* the attacker to be physically close (has to pull out the card at the right time).

This removal triggers the driver's cm400_detach() method.

4. If the card gets removed just as open() is using data structures, there’s a chance the driver frees up memory, but the open() call *still* tries to use it.

This is the “race condition”—a flaw that happens only if two (or more) operations race each other. Whoever gets there first changes the outcome.

Let’s look at some simplified kernel code

// PCMIA device open function in cm400_cs.c
static int cmm_open(struct inode *inode, struct file *filp) {
    struct cm400_dev *dev = ... // get device struct
    
    if (!dev)
        return -ENODEV;

    // This is where the race happens
    atomic_inc(&dev->open);
    filp->private_data = dev;

    // ... do something else

    return ;
}

// Detach triggered when card is removed
static void cm400_detach(struct pcmcia_device *link) {
    struct cm400_dev *dev = ... // get device struct

    // ... various cleanup ...

    kfree(dev);
}

Problem:
If cm400_detach() runs and kfree(dev) occurs *while* a process is still in cmm_open() and about to use dev, boom—kernel uses memory that was just freed.

Let’s make it simple

1. User starts an application that opens /dev/cm400_X (for the smart card).

General system instability

Note:  
This needs precise timing. But an attacker can automate script to repeatedly call open, or just try pulling the card out at the right time.

You could imagine a shell script like this to repeatedly stress the race

#!/bin/bash

while :; do
    cat /dev/cm400_ &
    PID=$!
    # Remove the card *right after* starting cat, by hand
    sleep .05
    kill $PID
done

In real research, tools like Syzkaller might harness more exact timings to demonstrate the bug.

Fix Status

This bug happens because there is no proper locking, or reference counting, ensuring the device isn’t freed until after all accesses are done.

The fix would include

- Good locking (mutex/spinlock) between open and detach.

Reference counts to ensure the object isn’t freed while in use.

Commits & Patches:  
Linux kernel patch discussion link

More Resources

- NVD CVE entry (NIST)
- Exploit-DB Search
- Linux kernel source: cm400_cs.c
- CVE Details: CVE-2022-44032

Conclusion

CVE-2022-44032 shows how even old hardware interfaces (like PCMCIA) can have serious bugs. If you still use smart card drivers on Linux, *make sure your system is updated*. Kernel race conditions are dangerous even if they require a human in the loop—sometimes all that’s needed is a little mischief in the server room.


*If you found this exclusive breakdown useful, check the provided links for more details and stay secure!*

Timeline

Published on: 10/30/2022 01:15:00 UTC
Last modified on: 11/01/2022 14:45:00 UTC