CVE-2022-49612

CVE-2022-49612 is a vulnerability in the Linux kernel's power supply core subsystem, specifically affecting the functions power_supply_temp2resist_simple and power_supply_ocv2cap_simple. These functions incorrectly handle boundary conditions during interpolation, leading to issues such as an out-of-bounds read when the input ocv exceeds table[0].ocv, due to erroneous index assignments like "high = i - 1" and "high = i". The flaw was introduced by commit a4585ba2050f460f749bbaf2b67bd56c41e30283 ("power: supply: core: Use library interpolation") and is classified under CWE-787 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the affected interpolation functions under specific boundary conditions, such as providing an ocv value greater than the first table entry or temperatures outside expected ranges. Successful exploitation results in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or system crashes due to the out-of-bounds access.

Kernel patches addressing this issue are available in stable branches, including commit 093d27bb6f2d1963f927ef59c9a2d37059175426 and commit a762cee5d933fe4e2e1b773d60fc74fb8248d8c4, which fix the index logic errors and boundary handling in both functions. Security practitioners should ensure affected Linux kernel versions are updated to incorporate these fixes.