Cyber Resilience

CVE-2022-49515

High

Published: 26 February 2025

Published
26 February 2025
Modified
21 October 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0014 33.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49515 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2022-49515 is an out-of-bounds access vulnerability in the Linux kernel's ASoC (ALSA System on Chip) subsystem, specifically affecting the CS35L41 audio codec driver. The issue arises because the constant CS35L41_NUM_OTP_ELEM is defined as 100, but the arrays otp_map_1 and otp_map_2 only contain 99 entries. This mismatch triggers a shift-out-of-bounds condition in the cs35l41_otp_unpack() function, as reported by UBSAN, when processing the last entry via GENMASK(-1, 0). The vulnerability was observed in kernel version 5.15.0-23-generic during probing of the snd_hda_scodec_cs35l41 module.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring local access (AV:L) to the system. Successful exploitation leads to high confidentiality impact (C:H) through potential out-of-bounds reads (CWE-125) and high availability impact (A:H), likely causing denial of service via crashes or memory corruption, with no integrity impact (I:N) and no scope change (S:U). The CVSS v3.1 base score is 7.1.

Mitigation involves applying patches from the Linux kernel stable trees, as detailed in the referenced commits: 9f342904216f378e88008bb0ce1ae200a4b99fe8, a59b9958416096dd21dc4f62b0c5be525d459ca8, and dbc35268e14d5d89c7a9db72009ad4dcd9ede646. These fixes address the array size discrepancy in the CS35L41 driver to prevent the UBSAN-reported shift-out-of-bounds error.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ASoC: cs35l41: Fix an out-of-bounds access in otp_packed_element_t The CS35L41_NUM_OTP_ELEM is 100, but only 99 entries are defined in the array otp_map_1/2[CS35L41_NUM_OTP_ELEM], this will trigger UBSAN to report a shift-out-of-bounds…

more

warning in the cs35l41_otp_unpack() since the last entry in the array will result in GENMASK(-1, 0). UBSAN reports this problem: UBSAN: shift-out-of-bounds in /home/hwang4/build/jammy/jammy/sound/soc/codecs/cs35l41-lib.c:836:8 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 10 PID: 595 Comm: systemd-udevd Not tainted 5.15.0-23-generic #23 Hardware name: LENOVO \x02MFG_IN_GO/\x02MFG_IN_GO, BIOS N3GET19W (1.00 ) 03/11/2022 Call Trace: <TASK> show_stack+0x52/0x58 dump_stack_lvl+0x4a/0x5f dump_stack+0x10/0x12 ubsan_epilogue+0x9/0x45 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef ? regmap_unlock_mutex+0xe/0x10 cs35l41_otp_unpack.cold+0x1c6/0x2b2 [snd_soc_cs35l41_lib] cs35l41_hda_probe+0x24f/0x33a [snd_hda_scodec_cs35l41] cs35l41_hda_i2c_probe+0x65/0x90 [snd_hda_scodec_cs35l41_i2c] ? cs35l41_hda_i2c_remove+0x20/0x20 [snd_hda_scodec_cs35l41_i2c] i2c_device_probe+0x252/0x2b0

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel OOB read in audio driver enables privilege escalation (T1068), credential/info disclosure via memory leak (T1212), and system crash/DoS via exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23076Same product: Linux Linux Kernel
CVE-2025-71136Same product: Linux Linux Kernel
CVE-2022-49234Same product: Linux Linux Kernel
CVE-2025-71101Same product: Linux Linux Kernel
CVE-2026-31528Same product: Linux Linux Kernel
CVE-2022-49250Same product: Linux Linux Kernel
CVE-2024-57982Same product: Linux Linux Kernel
CVE-2022-49368Same product: Linux Linux Kernel
CVE-2025-21743Same product: Linux Linux Kernel
CVE-2022-49738Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.16 — 5.17.14 · 5.18 — 5.18.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the array bounds mismatch in the CS35L41 driver by applying specific kernel patches, preventing the out-of-bounds shift condition.

prevent

Restricts loading of unnecessary kernel modules like snd_soc_cs35l41_lib, avoiding exposure to the vulnerable driver during device probing.

prevent

Implements kernel memory protections such as ASLR or SMEP to mitigate potential exploitation of the out-of-bounds access for DoS or information disclosure.

References