Cyber Resilience

CVE-2022-49073

High

Published: 26 February 2025

Published
26 February 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49073 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49073 is an out-of-bounds write vulnerability in the Linux kernel's sata_dwc_460ex driver, part of the ATA subsystem. The issue arises because the driver uses libata's tag values in arrays without accounting for a patch that increased ATA_TAG_INTERNAL to 32, causing the SATA_DWC_QCMD_MAX value to be insufficient. This leads to out-of-bounds access, such as overwriting a dma_chan pointer with NULL in sata_dwc_dma_xfer_complete(), followed by a kernel NULL pointer dereference crash during subsequent DMA operations like dmaengine_slave_config().

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction, as indicated by the CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation triggers a kernel oops or panic, such as the reported NULL pointer dereference in sata_dwc_qc_issue() on PowerPC 44x platforms running kernel 5.4.163, resulting in denial of service. The high impacts on confidentiality, integrity, and availability suggest potential for broader kernel memory corruption.

Kernel stable patches resolve the vulnerability by setting SATA_DWC_QCMD_MAX to ATA_MAX_QUEUE + 1, preventing the out-of-bounds write while noting that a more comprehensive fix for the driver to properly handle ATA_TAG_INTERNAL is preferable. Relevant commits include 234c0132f76f0676d175757f61b0025191a3d935, 3a8751c0d4e24129e72dcec0139e99833b13904a, 55e1465ba79562a191708a40eeae3f8082a209e3, 596c7efd69aae94f4b0e91172b075eb197958b99, and 7aa8104a554713b685db729e66511b93d989dd6a, available via git.kernel.org/stable.

The vulnerability was reported by Tice Rex on the OpenWrt Forum and documented in https://github.com/openwrt/openwrt/issues/9505, with reproduction on affected PowerPC systems. It aligns with CWE-787 (Out-of-Bounds Write) and was published on 2025-02-26.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ata: sata_dwc_460ex: Fix crash due to OOB write the driver uses libata's "tag" values from in various arrays. Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32, the value of…

more

the SATA_DWC_QCMD_MAX needs to account for that. Otherwise ATA_TAG_INTERNAL usage cause similar crashes like this as reported by Tice Rex on the OpenWrt Forum and reproduced (with symbols) here: | BUG: Kernel NULL pointer dereference at 0x00000000 | Faulting instruction address: 0xc03ed4b8 | Oops: Kernel access of bad area, sig: 11 [#1] | BE PAGE_SIZE=4K PowerPC 44x Platform | CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0 | NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c | REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163) | MSR: 00021000 <CE,ME> CR: 42000222 XER: 00000000 | DEAR: 00000000 ESR: 00000000 | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...] | [..] | NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254 | LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc | Call Trace: | [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable) | [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc | [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524 | [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0 | [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204 | [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130 | [...] This is because sata_dwc_dma_xfer_complete() NULLs the dma_pending's next neighbour "chan" (a *dma_chan struct) in this '32' case right here (line ~735): > hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE; Then the next time, a dma gets issued; dma_dwc_xfer_setup() passes the NULL'd hsdevp->chan to the dmaengine_slave_config() which then causes the crash. With this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1. This avoids the OOB. But please note, there was a worthwhile discussion on what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not be a "fake" 33 command-long queue size. Ideally, the dw driver should account for the ATA_TAG_INTERNAL. In Damien Le Moal's words: "... having looked at the driver, it is a bigger change than just faking a 33rd "tag" that is in fact not a command tag at all." BugLink: https://github.com/openwrt/openwrt/issues/9505

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel out-of-bounds write enabling memory corruption for privilege escalation or DoS via exploitation of ATA driver flaw.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2022-49612Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.18 · 4.18 — 4.19.238 · 4.20 — 5.4.189 · 5.5 — 5.10.111

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2022-49073 by requiring timely identification, testing, and installation of kernel patches that adjust SATA_DWC_QCMD_MAX to prevent out-of-bounds writes in the sata_dwc_460ex driver.

detect

Enables detection of the vulnerable kernel version through vulnerability scanning and monitoring of advisories, facilitating prompt remediation of the out-of-bounds write flaw.

prevent

Provides runtime memory protections such as kernel address space randomization and guard mechanisms that limit the scope and impact of out-of-bounds writes corrupting adjacent structures like dma_chan.

References