CVE-2022-49291

High

Published: 26 February 2025

Published

26 February 2025

Modified

25 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent hw_params and hw_free calls Currently we have neither proper check nor protection against the concurrent calls of PCM hw_params and hw_free ioctls, which may result in a UAF. Since the existing PCM stream lock can't be used for protecting the whole ioctl operations, we need a new mutex to protect those racy calls. This patch introduced a new mutex, runtime->buffer_mutex, and applies it to both hw_params and hw_free ioctl code paths. Along with it, the both functions are slightly modified (the mmap_count check is moved into the state-check block) for code simplicity.

Security Summary

CVE-2022-49291 is a race condition vulnerability in the Linux kernel's ALSA PCM subsystem, specifically involving concurrent calls to the hw_params and hw_free ioctls. Without proper synchronization, these operations can lead to a use-after-free (UAF) condition, as the existing PCM stream lock does not protect the full ioctl paths. The issue affects Linux kernel versions prior to the application of the fixing commits and is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering concurrent hw_params and hw_free operations on a PCM device. Successful exploitation of the race condition results in a UAF, enabling potential high-impact consequences such as arbitrary code execution, data corruption, or system crashes due to the elevated confidentiality, integrity, and availability impacts indicated by the CVSS score.

The provided kernel stable commit references detail the mitigation, which introduces a new mutex (runtime->buffer_mutex) to serialize hw_params and hw_free ioctl paths, along with minor code adjustments like moving the mmap_count check into the state-check block for simplicity. Security practitioners should ensure affected systems apply these patches from the referenced commits to prevent exploitation.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

≤ 4.14.279 · 4.15 — 4.19.243 · 4.20 — 5.4.193

References

https://git.kernel.org/stable/c/0090c13cbbdffd7da079ac56f80373a9a1be0bf8
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/0f6947f5f5208f6ebd4d76a82a4757e2839a23f8
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1bbf82d9f961414d6c76a08f7f843ea068e0ab7b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/33061d0fba51d2bf70a2ef9645f703c33fe8e438
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/92ee3c60ec9fe64404dc035e7c41277d74aa26cb
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9cb6c40a6ebe4a0cfc9d6a181958211682cffea9
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a42aa926843acca96c0dfbde2e835b8137f2f092
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fbeb492694ce0441053de57699e1e2b7bc148a69
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67