Cyber Resilience

CVE-2022-49261

High

Published: 26 February 2025

Published
26 February 2025
Modified
22 September 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49261 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49261 is a vulnerability in the Linux kernel's Direct Rendering Manager (DRM) i915 GEM subsystem, specifically in the vm_access() function. The issue stems from a missing bounds check on the len parameter before a memcpy operation, which can result in out-of-bounds reads or writes into adjacent kernel memory areas. This flaw was demonstrated by a proof-of-concept that triggered a kernel page fault and oops during a supervisor read access, as seen in the provided kernel crash log from a tainted 5.17.0-rc6 kernel on Intel CoffeeLake hardware.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction required. Exploitation occurs through operations like vfs_read on an i915-related interface, such as __access_remote_vm leading to mem_rw. Successful exploitation enables high confidentiality, integrity, and availability impacts (CVSS 7.8: C:H/I:H/A:H), potentially allowing arbitrary kernel memory corruption, information disclosure, or denial of service via kernel crashes, as evidenced by the memcpy_erms fault in the trace.

Mitigation involves applying the relevant stable kernel patches, such as those in commits 312d3d4f49e12f97260bcf972c848c3562126a18, 3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7, 5f6e560e3e86ac053447524224e411034f41f5c7, 89ddcc81914ab58cc203acc844f27d55ada8ec0e, and 8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5f5aa from git.kernel.org/stable. These patches add the missing boundary check using range_overflows_t and were cherry-picked from upstream commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6. Security practitioners should ensure systems with i915 drivers update to kernels incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: add missing boundary check in vm_access A missing bounds check in vm_access() can lead to an out-of-bounds read or write in the adjacent memory area, since the len attribute…

more

is not validated before the memcpy later in the function, potentially hitting: [ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000 [ 183.637934] #PF: supervisor read access in kernel mode [ 183.637997] #PF: error_code(0x0000) - not-present page [ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0 [ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI [ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1 [ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019 [ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10 [ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246 [ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc [ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004 [ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000 [ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000 [ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000 [ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000 [ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0 [ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 183.650142] Call Trace: [ 183.650988] <TASK> [ 183.651793] vm_access+0x1f0/0x2a0 [i915] [ 183.652726] __access_remote_vm+0x224/0x380 [ 183.653561] mem_rw.isra.0+0xf9/0x190 [ 183.654402] vfs_read+0x9d/0x1b0 [ 183.655238] ksys_read+0x63/0xe0 [ 183.656065] do_syscall_64+0x38/0xc0 [ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 183.657663] RIP: 0033:0x7fe5ef725142 [ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142 [ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005 [ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046 [ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0 [ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000 Changes since v1: - Updated if condition with range_overflows_t [Chris Wilson] [mauld: tidy up the commit message and add Cc: stable] (cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing bounds check in kernel DRM i915 vm_access enables local memory corruption for privilege escalation via arbitrary kernel read/write.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21687Same product: Linux Linux Kernel
CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-43048Same product: Linux Linux Kernel
CVE-2022-49612Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.8 — 5.10.110 · 5.11 — 5.15.33 · 5.16 — 5.16.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying kernel patches that add the missing boundary check in vm_access() directly remediates the out-of-bounds read/write vulnerability.

prevent

Validating the 'len' parameter bounds before memcpy in the i915 GEM vm_access() function prevents out-of-bounds memory access by untrusted inputs.

prevent

Kernel memory protections such as guard pages and address space isolation mitigate exploitation of out-of-bounds accesses into adjacent memory areas.

References