CVE-2022-49291
Published: 26 February 2025
Summary
CVE-2022-49291 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-41 (Port and I/O Device Access).
Deeper analysis
CVE-2022-49291 is a race condition vulnerability in the Linux kernel's ALSA PCM subsystem, specifically involving concurrent calls to the hw_params and hw_free ioctls. Without proper synchronization, these operations can lead to a use-after-free (UAF) condition, as the existing PCM stream lock does not protect the full ioctl paths. The issue affects Linux kernel versions prior to the application of the fixing commits and is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering concurrent hw_params and hw_free operations on a PCM device. Successful exploitation of the race condition results in a UAF, enabling potential high-impact consequences such as arbitrary code execution, data corruption, or system crashes due to the elevated confidentiality, integrity, and availability impacts indicated by the CVSS score.
The provided kernel stable commit references detail the mitigation, which introduces a new mutex (runtime->buffer_mutex) to serialize hw_params and hw_free ioctl paths, along with minor code adjustments like moving the mmap_count check into the state-check block for simplicity. Security practitioners should ensure affected systems apply these patches from the referenced commits to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54935
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent hw_params and hw_free calls Currently we have neither proper check nor protection against the concurrent calls of PCM hw_params and hw_free ioctls, which may…
more
result in a UAF. Since the existing PCM stream lock can't be used for protecting the whole ioctl operations, we need a new mutex to protect those racy calls. This patch introduced a new mutex, runtime->buffer_mutex, and applies it to both hw_params and hw_free ioctl code paths. Along with it, the both functions are slightly modified (the mmap_count check is moved into the state-check block) for code simplicity.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition in ALSA PCM directly enables privilege escalation via arbitrary code execution in kernel context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the race condition in ALSA PCM by applying the kernel patch that introduces runtime->buffer_mutex to serialize hw_params and hw_free ioctls, preventing UAF.
Kernel memory protections like ASLR, SMEP, and SMAP mitigate exploitation of the UAF resulting from the concurrent ioctl race condition.
Restricts low-privilege local access to ALSA PCM I/O devices, preventing attackers from issuing the concurrent hw_params and hw_free ioctls that trigger the race.