CVE-2022-49218
Published: 26 February 2025
Summary
CVE-2022-49218 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49218 is an out-of-bounds read vulnerability in the Linux kernel's Direct Rendering Manager (DRM) DisplayPort (DP) helper code, specifically in the drm_dp_get_adjust_request_post_cursor function within drivers/gpu/drm/drm_dp_helper.c. The issue arises because the link_status array, defined as a fixed-size array of 6 bytes (DP_LINK_STATUS_SIZE), is accessed with an index that can reach 10 when handling the Adjust Request Post Cursor2 register, triggering an out-of-bounds read. This was detected during a build with -Warray-bounds warnings. The vulnerability affects Linux kernel versions incorporating the flawed DRM/DP helper code.
Exploitation requires local access to the system with low privileges (AV:L/AC:L/PR:L/UI:N/S:U). A malicious local user could trigger the vulnerable code path during DisplayPort link status handling, potentially leading to high confidentiality impact through unauthorized memory reads (C:H) and high availability impact via denial of service, such as kernel crashes (A:H), with no integrity impact (I:N). The CVSS v3.1 base score is 7.1, and it is associated with CWE-125 (Out-of-bounds Read).
Kernel stable patches address the issue by removing the common helper function drm_dp_get_adjust_request_post_cursor and replacing its sole usage with an open-coded fetch and decode operation, mirroring the approach in drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c. The fixes are available in kernel stable commits at https://git.kernel.org/stable/c/a2151490cc6c57b368d7974ffd447a8b36ade639 and https://git.kernel.org/stable/c/aeaed9a9fe694f8b1462fb81e2d33298c929180b.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55008
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: drm/dp: Fix OOB read when handling Post Cursor2 register The link_status array was not large enough to read the Adjust Request Post Cursor2 register, so remove the common helper function…
more
to avoid an OOB read, found with a -Warray-bounds build: drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor': drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds] 59 | return link_status[r - DP_LANE0_1_STATUS]; | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status' 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE], | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace the only user of the helper with an open-coded fetch and decode, similar to drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read enables local kernel memory disclosure for credential access (T1212) and system crashes for DoS via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates obtaining, testing, and installing patches for known flaws like the OOB read in Linux kernel DRM DP helper code, preventing exploitation via kernel stable commits.
Requires vulnerability scanning and monitoring to identify the presence of CVE-2022-49218 in deployed Linux kernels based on version and patch status.
Provides memory protections like KASLR and SMAP that limit the impact of kernel OOB reads by complicating unauthorized memory disclosure or DoS exploitation.