CVE-2022-49251
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: va-macro: fix accessing array out of bounds for enum type Accessing enums using integer would result in array out of bounds access on platforms like aarch64 where sizeof(long) is 8 compared to enum size which is 4 bytes.
Security Summary
CVE-2022-49251 is an out-of-bounds array access vulnerability in the Linux kernel's ASoC (ALSA System on Chip) subsystem, specifically within the va-macro codec driver. The issue arises from accessing enums using integer indices, which leads to out-of-bounds reads on platforms like aarch64 where the size of a long (8 bytes) exceeds the enum size (4 bytes). This flaw, classified under CWE-125 (Out-of-bounds Read), carries a CVSS v3.1 base score of 7.1.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations, such as reading sensitive data from out-of-bounds memory, and high-impact availability disruptions, potentially leading to kernel crashes or denial of service, while integrity remains unaffected.
Mitigation involves applying the relevant stable kernel patches, as detailed in the provided commit references: 0ea5eff7c6063a8f124188424f8e4c6727f35051, 4a799972a283ab4ec031041304d7e2d34e1a16eb, 966408e37d84b762d11978b7bfb03fff0c6222ad, and c0099bbf8bc85d30c4cf38220fca3c8d4253fa7f. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)