Cyber Resilience

CVE-2022-49551

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0015 35.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49551 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49551 is an out-of-bounds array access vulnerability in the Linux kernel's isp1760 USB driver. The issue occurs during the driver's probe phase in the isp1760_register function, where a loop iterates over regmap fields for ISP1760 variants up to index HC_FIELD_MAX-1. However, arrays such as isp1760_hc_reg_fields, isp1763_hc_reg_fields, isp1763_hc_volatile_ranges, and isp1763_dc_volatile_ranges are dynamically sized at compile time and may be shorter than expected, leading to a global out-of-bounds read detected by KASAN. This is classified as CWE-125 with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the isp1760 driver probe, such as through device insertion or related operations. Successful exploitation enables high-impact confidentiality violations, potentially exposing sensitive kernel memory, and high-impact availability disruptions, such as system crashes or denial of service.

Mitigation is provided through upstream Linux kernel patches available in stable releases. The fixes, detailed in kernel git commits such as 26ae2c942b5702f2e43d36b2a4389cfb7d616b6a, 463bddd3ff1acf4036ddb80c34a715eb99debf46, 47d39cb57e8669e507d17d9e0d067d2b3e3a87ae, and bf2558bbdce3ab1d6bcba09f354914e4515d0a2b, extend the affected arrays by appending an empty assignment at index HC_FIELD_MAX (and DC_FIELD_MAX where applicable). This ensures the arrays are sufficiently sized without overwriting adjacent memory, accompanied by explanatory comments for clarity. Security practitioners should update to patched kernel versions supporting the isp1760 driver.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: usb: isp1760: Fix out-of-bounds array access Running the driver through kasan gives an interesting splat: BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c Read of size 20 at addr f1db2e64 by task swapper/0/1…

more

(...) isp1760_register from isp1760_plat_probe+0x1d8/0x220 (...) This happens because the loop reading the regmap fields for the different ISP1760 variants look like this: for (i = 0; i < HC_FIELD_MAX; i++) { ... } Meaning it expects the arrays to be at least HC_FIELD_MAX - 1 long. However the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[], isp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are dynamically sized during compilation. Fix this by putting an empty assignment to the [HC_FIELD_MAX] and [DC_FIELD_MAX] array member at the end of each array. This will make the array one member longer than it needs to be, but avoids the risk of overwriting whatever is inside [HC_FIELD_MAX - 1] and is simple and intuitive to read. Also add comments explaining what is going on.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel OOB read during driver probe directly enables memory disclosure (T1005), supports privilege escalation chains (T1068), and allows targeted DoS via crash (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-49623Same product: Linux Linux Kernel
CVE-2026-31513Same product: Linux Linux Kernel
CVE-2026-31614Same product: Linux Linux Kernel
CVE-2025-21789Same product: Linux Linux Kernel
CVE-2025-21741Same product: Linux Linux Kernel
CVE-2024-52332Same product: Linux Linux Kernel
CVE-2026-23235Same product: Linux Linux Kernel
CVE-2025-21647Same product: Linux Linux Kernel
CVE-2025-21742Same product: Linux Linux Kernel
CVE-2026-31442Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.14 — 5.15.46 · 5.16 — 5.17.14 · 5.18 — 5.18.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and correction of software flaws, directly addressing this out-of-bounds array access by applying the upstream kernel patches that extend the affected arrays.

prevent

CM-7 requires restricting systems to least functionality by disabling unnecessary kernel modules like isp1760, preventing the vulnerable probe function from executing upon USB device insertion.

prevent

SI-16 enforces memory protection mechanisms such as KASLR and SMAP that limit the impact of out-of-bounds reads in kernel drivers by mitigating information disclosure and potential exploitation.

References