CVE-2022-49288
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent prealloc proc writes We have no protection against concurrent PCM buffer preallocation changes via proc files, and it may potentially lead to UAF or some weird problem. This patch applies the PCM open_mutex to the proc write operation for avoiding the racy proc writes and the PCM stream open (and further operations).
Security Summary
CVE-2022-49288 is a race condition vulnerability in the Linux kernel's ALSA PCM subsystem. It arises from a lack of protection against concurrent writes to proc files used for PCM buffer preallocation changes, which can potentially lead to use-after-free (UAF) conditions or other undefined behaviors (CWE-416). The issue affects Linux kernel versions prior to the application of the relevant stable patches.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N), within the local scope (AV:L, S:U). Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS v3.1 base score of 7.8, potentially enabling kernel memory corruption, arbitrary code execution, or system crashes.
Mitigation involves applying upstream kernel patches from the Linux stable repository, which resolve the issue by applying the PCM open_mutex to proc write operations. This synchronizes proc writes with PCM stream opens and subsequent operations, preventing the races. Key patch commits include 37b12c16beb6f6c1c3c678c1aacbc46525c250f7, 51fce708ab8986a9879ee5da946a2cc120f1036d, 5ed8f8e3c4e59d0396b9ccf2e639711e24295bb6, 69534c48ba8ce552ce383b3dfdb271ffe51820c3, and a21d2f323b5a978dedf9ff1d50f101f85e39b3f2.
Details
- CWE(s)