CVE-2022-49551
Published: 26 February 2025
Summary
CVE-2022-49551 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49551 is an out-of-bounds array access vulnerability in the Linux kernel's isp1760 USB driver. The issue occurs during the driver's probe phase in the isp1760_register function, where a loop iterates over regmap fields for ISP1760 variants up to index HC_FIELD_MAX-1. However, arrays such as isp1760_hc_reg_fields, isp1763_hc_reg_fields, isp1763_hc_volatile_ranges, and isp1763_dc_volatile_ranges are dynamically sized at compile time and may be shorter than expected, leading to a global out-of-bounds read detected by KASAN. This is classified as CWE-125 with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the isp1760 driver probe, such as through device insertion or related operations. Successful exploitation enables high-impact confidentiality violations, potentially exposing sensitive kernel memory, and high-impact availability disruptions, such as system crashes or denial of service.
Mitigation is provided through upstream Linux kernel patches available in stable releases. The fixes, detailed in kernel git commits such as 26ae2c942b5702f2e43d36b2a4389cfb7d616b6a, 463bddd3ff1acf4036ddb80c34a715eb99debf46, 47d39cb57e8669e507d17d9e0d067d2b3e3a87ae, and bf2558bbdce3ab1d6bcba09f354914e4515d0a2b, extend the affected arrays by appending an empty assignment at index HC_FIELD_MAX (and DC_FIELD_MAX where applicable). This ensures the arrays are sufficiently sized without overwriting adjacent memory, accompanied by explanatory comments for clarity. Security practitioners should update to patched kernel versions supporting the isp1760 driver.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54681
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: usb: isp1760: Fix out-of-bounds array access Running the driver through kasan gives an interesting splat: BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c Read of size 20 at addr f1db2e64 by task swapper/0/1…
more
(...) isp1760_register from isp1760_plat_probe+0x1d8/0x220 (...) This happens because the loop reading the regmap fields for the different ISP1760 variants look like this: for (i = 0; i < HC_FIELD_MAX; i++) { ... } Meaning it expects the arrays to be at least HC_FIELD_MAX - 1 long. However the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[], isp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are dynamically sized during compilation. Fix this by putting an empty assignment to the [HC_FIELD_MAX] and [DC_FIELD_MAX] array member at the end of each array. This will make the array one member longer than it needs to be, but avoids the risk of overwriting whatever is inside [HC_FIELD_MAX - 1] and is simple and intuitive to read. Also add comments explaining what is going on.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read during driver probe directly enables memory disclosure (T1005), supports privilege escalation chains (T1068), and allows targeted DoS via crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, and correction of software flaws, directly addressing this out-of-bounds array access by applying the upstream kernel patches that extend the affected arrays.
CM-7 requires restricting systems to least functionality by disabling unnecessary kernel modules like isp1760, preventing the vulnerable probe function from executing upon USB device insertion.
SI-16 enforces memory protection mechanisms such as KASLR and SMAP that limit the impact of out-of-bounds reads in kernel drivers by mitigating information disclosure and potential exploitation.