Cyber Resilience

CVE-2022-49250

High

Published: 26 February 2025

Published
26 February 2025
Modified
22 September 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0014 33.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49250 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2022-49250 is an out-of-bounds read vulnerability (CWE-125) in the Linux kernel's ASoC (ALSA System on Chip) rx-macro codec driver. The issue arises because the driver does not check whether the AUX interpolator has a compander before accessing its compander data, resulting in an out-of-bounds access in the comp_enabled[] array.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the system. Successful exploitation leads to high confidentiality impact (C:H), such as potential information disclosure, and high availability impact (A:H), such as denial of service via system crash, with unchanged scope (S:U). The CVSS v3.1 base score is 7.1 (High).

Mitigation is provided through patches in the Linux kernel stable repository, as documented in the referenced commits (e.g., 42c709c4e1ce4c136891530646c9abd5dff3524f, 6aa8ef9535dbd561293406608ebe791627b10196). These patches add a check before accessing compander data for the AUX interpolator, preventing the out-of-bounds access. Security practitioners should apply the relevant stable kernel updates to affected systems.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: rx-macro: fix accessing compander for aux AUX interpolator does not have compander, so check before accessing compander data for this. Without this checkan array of out bounds access…

more

will be made in comp_enabled[] array.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel OOB read enables privilege escalation via info leak/DoS (T1068), credential access via memory disclosure (T1212), and system crash via exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23076Same product: Linux Linux Kernel
CVE-2022-49515Same product: Linux Linux Kernel
CVE-2025-71136Same product: Linux Linux Kernel
CVE-2022-49234Same product: Linux Linux Kernel
CVE-2025-71101Same product: Linux Linux Kernel
CVE-2026-31528Same product: Linux Linux Kernel
CVE-2024-57982Same product: Linux Linux Kernel
CVE-2022-49368Same product: Linux Linux Kernel
CVE-2025-21743Same product: Linux Linux Kernel
CVE-2022-49738Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.12 — 5.15.33 · 5.16 — 5.16.19 · 5.17 — 5.17.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the out-of-bounds read by requiring timely application of the kernel patch that adds the missing check before accessing compander data for the AUX interpolator.

prevent

Provides kernel memory protection mechanisms such as address space layout randomization or page protections that can mitigate the impact of out-of-bounds reads even if the flaw exists.

prevent

Enforces proper error handling to avoid unsafe array accesses like the unchecked comp_enabled[] read when compander is absent for AUX interpolator.

References