CVE-2022-49250
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: rx-macro: fix accessing compander for aux AUX interpolator does not have compander, so check before accessing compander data for this. Without this checkan array of out bounds access will be made in comp_enabled[] array.
Security Summary
CVE-2022-49250 is an out-of-bounds read vulnerability (CWE-125) in the Linux kernel's ASoC (ALSA System on Chip) rx-macro codec driver. The issue arises because the driver does not check whether the AUX interpolator has a compander before accessing its compander data, resulting in an out-of-bounds access in the comp_enabled[] array.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the system. Successful exploitation leads to high confidentiality impact (C:H), such as potential information disclosure, and high availability impact (A:H), such as denial of service via system crash, with unchanged scope (S:U). The CVSS v3.1 base score is 7.1 (High).
Mitigation is provided through patches in the Linux kernel stable repository, as documented in the referenced commits (e.g., 42c709c4e1ce4c136891530646c9abd5dff3524f, 6aa8ef9535dbd561293406608ebe791627b10196). These patches add a check before accessing compander data for the AUX interpolator, preventing the out-of-bounds access. Security practitioners should apply the relevant stable kernel updates to affected systems.
Details
- CWE(s)