CVE-2022-49278
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: remoteproc: Fix count check in rproc_coredump_write() Check count for 0, to avoid a potential underflow. Make the check the same as the one in rproc_recovery_write().
Security Summary
CVE-2022-49278 is an integer underflow vulnerability in the Linux kernel's remoteproc subsystem. The issue affects the rproc_coredump_write() function, which does not check if the count parameter is zero, potentially leading to an underflow. This flaw, classified under CWE-191, has been addressed by aligning the count check with the implementation in rproc_recovery_write().
According to its CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), the vulnerability can be exploited by a local attacker with low privileges. Exploitation requires low attack complexity and no user interaction, allowing the attacker to achieve high impacts on system integrity and availability, with no confidentiality impact.
Mitigation is provided through kernel patches in the following stable commits: https://git.kernel.org/stable/c/11572dad9fbadbd9269a2550f7e236b5b8c2d80c, https://git.kernel.org/stable/c/34afac3c75fa08d6fabbab4c93f0a90618afaaa6, https://git.kernel.org/stable/c/a8c3e53517985d69040a1b36a269e85f99cf0cea, https://git.kernel.org/stable/c/b97b305656a7013690e7b6e310f0e827e0bbff90, and https://git.kernel.org/stable/c/f89672cc3681952f2d06314981a6b45f8b0045d1. Security practitioners should ensure affected Linux kernel versions are updated with these fixes.
Details
- CWE(s)