Cyber Resilience

CVE-2022-49478

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49478 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49478 is an array-index-out-of-bounds vulnerability in the Linux kernel's pvrusb2 media driver, specifically within the pvr2_i2c_core_init function. The issue stems from a missing validation check on hdw->unit_number, which is initialized to -1 and remains unchanged if the initialization table walk fails, allowing this invalid value to be used directly as an array index. This flaw, reported by Syzbot, is classified under CWE-129 (Improper Validation of Array Index).

A local attacker with low privileges can exploit this vulnerability given its low attack complexity and lack of user interaction requirements (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base score 7.8). Exploitation could enable high-impact confidentiality, integrity, and availability violations, potentially leading to arbitrary code execution, data corruption, or system crashes on affected systems with the vulnerable pvrusb2 driver loaded.

Mitigation is addressed in Linux kernel stable releases via the referenced commits, which introduce a sanity check on hdw->unit_number prior to its use for array indexing—the simplest and most direct fix. The commits also relocate hdw->workpoll initialization earlier in the code to avoid a warning during __flush_work. Security practitioners should ensure systems apply these upstream stable patches, particularly those using pvrusb2 hardware support.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init Syzbot reported that -1 is used as array index. The problem was in missing validation check. hdw->unit_number is initialized with -1 and then if…

more

init table walk fails this value remains unchanged. Since code blindly uses this member for array indexing adding sanity check is the easiest fix for that. hdw->workpoll initialization moved upper to prevent warning in __flush_work.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel array out-of-bounds flaw in pvrusb2 driver directly enables privilege escalation via arbitrary code execution from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-49170Same product: Linux Linux Kernel
CVE-2022-49186Same product: Linux Linux Kernel
CVE-2026-23354Same product: Linux Linux Kernel
CVE-2025-71100Same product: Linux Linux Kernel
CVE-2025-21692Same product: Linux Linux Kernel
CVE-2022-49720Same product: Linux Linux Kernel
CVE-2023-52987Same product: Linux Linux Kernel
CVE-2023-53019Same product: Linux Linux Kernel
CVE-2022-49548Same product: Linux Linux Kernel
CVE-2025-71143Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.18 — 4.9.318 · 4.10 — 4.14.283 · 4.15 — 4.19.247

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation ensures timely patching of the missing validation check on hdw->unit_number in pvr2_i2c_core_init, directly eliminating the array-index-out-of-bounds vulnerability.

prevent

Least functionality restricts loading of unnecessary kernel drivers like the vulnerable pvrusb2 module, removing the exploitable code path entirely.

detect

Vulnerability monitoring and scanning identifies the presence of CVE-2022-49478 in kernel versions for prioritized remediation.

References