An anonymous security researcher has reported three new vulnerabilities to the maintainers of the Linux kernel. The vulnerabilities may result in arbitrary code execution in the that a threat actor has local access to a system.
The first vulnerability (CVE-2022-41850) is a race condition that is present in the human interface device (HID) driver for Roccat devices known as a use-after-free vulnerability. This vulnerability would allow local attacker to execute arbitrary code on the victim host.
The second vulnerability (CVE-2022-41848) is also a use-after-free type race condition that exists in the HID driver for SyncLink PC Card serial adapter devices. This would allow a local attacker to execute arbitrary code by removing a PCMCIA device while calling ioctl.
The final vulnerability (CVE-2022-41849) like the others is a use-after-free race condition as well. The HID driver involved in this vulnerability is used to run SMSC UFX USB devices. In this instance, the vulnerability can be exploited by physically removing a USB device while calling the linux open() function, once again allowing arbitrary code execution.