CVE-2022-49250
Published: 26 February 2025
Summary
CVE-2022-49250 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Deeper analysis
CVE-2022-49250 is an out-of-bounds read vulnerability (CWE-125) in the Linux kernel's ASoC (ALSA System on Chip) rx-macro codec driver. The issue arises because the driver does not check whether the AUX interpolator has a compander before accessing its compander data, resulting in an out-of-bounds access in the comp_enabled[] array.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) to the system. Successful exploitation leads to high confidentiality impact (C:H), such as potential information disclosure, and high availability impact (A:H), such as denial of service via system crash, with unchanged scope (S:U). The CVSS v3.1 base score is 7.1 (High).
Mitigation is provided through patches in the Linux kernel stable repository, as documented in the referenced commits (e.g., 42c709c4e1ce4c136891530646c9abd5dff3524f, 6aa8ef9535dbd561293406608ebe791627b10196). These patches add a check before accessing compander data for the AUX interpolator, preventing the out-of-bounds access. Security practitioners should apply the relevant stable kernel updates to affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54976
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: rx-macro: fix accessing compander for aux AUX interpolator does not have compander, so check before accessing compander data for this. Without this checkan array of out bounds access…
more
will be made in comp_enabled[] array.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read enables privilege escalation via info leak/DoS (T1068), credential access via memory disclosure (T1212), and system crash via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the out-of-bounds read by requiring timely application of the kernel patch that adds the missing check before accessing compander data for the AUX interpolator.
Provides kernel memory protection mechanisms such as address space layout randomization or page protections that can mitigate the impact of out-of-bounds reads even if the flaw exists.
Enforces proper error handling to avoid unsafe array accesses like the unchecked comp_enabled[] read when compander is absent for AUX interpolator.