CVE-2022-49551

High

Published: 26 February 2025

Published

26 February 2025

Modified

01 October 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0015 34.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: usb: isp1760: Fix out-of-bounds array access Running the driver through kasan gives an interesting splat: BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c Read of size 20 at addr f1db2e64 by task swapper/0/1 (...) isp1760_register from isp1760_plat_probe+0x1d8/0x220 (...) This happens because the loop reading the regmap fields for the different ISP1760 variants look like this: for (i = 0; i < HC_FIELD_MAX; i++) { ... } Meaning it expects the arrays to be at least HC_FIELD_MAX - 1 long. However the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[], isp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are dynamically sized during compilation. Fix this by putting an empty assignment to the [HC_FIELD_MAX] and [DC_FIELD_MAX] array member at the end of each array. This will make the array one member longer than it needs to be, but avoids the risk of overwriting whatever is inside [HC_FIELD_MAX - 1] and is simple and intuitive to read. Also add comments explaining what is going on.

Security Summary

CVE-2022-49551 is an out-of-bounds array access vulnerability in the Linux kernel's isp1760 USB driver. The issue occurs during the driver's probe phase in the isp1760_register function, where a loop iterates over regmap fields for ISP1760 variants up to index HC_FIELD_MAX-1. However, arrays such as isp1760_hc_reg_fields, isp1763_hc_reg_fields, isp1763_hc_volatile_ranges, and isp1763_dc_volatile_ranges are dynamically sized at compile time and may be shorter than expected, leading to a global out-of-bounds read detected by KASAN. This is classified as CWE-125 with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the isp1760 driver probe, such as through device insertion or related operations. Successful exploitation enables high-impact confidentiality violations, potentially exposing sensitive kernel memory, and high-impact availability disruptions, such as system crashes or denial of service.

Mitigation is provided through upstream Linux kernel patches available in stable releases. The fixes, detailed in kernel git commits such as 26ae2c942b5702f2e43d36b2a4389cfb7d616b6a, 463bddd3ff1acf4036ddb80c34a715eb99debf46, 47d39cb57e8669e507d17d9e0d067d2b3e3a87ae, and bf2558bbdce3ab1d6bcba09f354914e4515d0a2b, extend the affected arrays by appending an empty assignment at index HC_FIELD_MAX (and DC_FIELD_MAX where applicable). This ensures the arrays are sufficiently sized without overwriting adjacent memory, accompanied by explanatory comments for clarity. Security practitioners should update to patched kernel versions supporting the isp1760 driver.

Details

CWE(s): CWE-125

Affected Products

linux

linux kernel

5.14 — 5.15.46 · 5.16 — 5.17.14 · 5.18 — 5.18.3

References

https://git.kernel.org/stable/c/26ae2c942b5702f2e43d36b2a4389cfb7d616b6a
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/463bddd3ff1acf4036ddb80c34a715eb99debf46
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/47d39cb57e8669e507d17d9e0d067d2b3e3a87ae
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bf2558bbdce3ab1d6bcba09f354914e4515d0a2b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67