CVE-2022-49726

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-49726
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49726.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49726
Downstream
Related
Published
2025-02-26T02:24:38.003Z
Modified
2026-03-12T03:25:41.264124Z
Summary
clocksource: hyper-v: unexport __init-annotated hv_init_clocksource()
Details

In the Linux kernel, the following vulnerability has been resolved:

clocksource: hyper-v: unexport __init-annotated hvinitclocksource()

EXPORT_SYMBOL and __init is a bad combination because the .init.text section is freed up after the initialization. Hence, modules cannot use symbols annotated __init. The access to a freed symbol may end up with kernel panic.

modpost used to detect it, but it has been broken for a decade.

Recently, I fixed modpost so it started to warn it again, then this showed up in linux-next builds.

There are two ways to fix it:

  • Remove __init
  • Remove EXPORT_SYMBOL

I chose the latter for this case because the only in-tree call-site, arch/x86/kernel/cpu/mshyperv.c is never compiled as modular. (CONFIGHYPERVISORGUEST is boolean)

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49726.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dd2cb348613b44f9d948b068775e159aad298599
Fixed
cff3a7ce6e81418b6e8bac941779bbf5d342d626
Fixed
db965e2757d95f695e606856418cd84003dd036d
Fixed
0414eab7c78f3518143d383e448d44fc573ac6d2
Fixed
937fcbb55a1e48a6422e87e8f49422c92265f102
Fixed
245b993d8f6c4e25f19191edfbd8080b645e12b1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49726.json"