Cyber Resilience

CVE-2022-49612

High

Published: 26 February 2025

Published
26 February 2025
Modified
23 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49612 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-49612 is a vulnerability in the Linux kernel's power supply core subsystem, specifically affecting the functions power_supply_temp2resist_simple and power_supply_ocv2cap_simple. These functions incorrectly handle boundary conditions during interpolation, leading to issues such as an out-of-bounds read when the input ocv exceeds table[0].ocv, due to erroneous index assignments like "high = i - 1" and "high = i". The flaw was introduced by commit a4585ba2050f460f749bbaf2b67bd56c41e30283 ("power: supply: core: Use library interpolation") and is classified under CWE-787 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the affected interpolation functions under specific boundary conditions, such as providing an ocv value greater than the first table entry or temperatures outside expected ranges. Successful exploitation results in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or system crashes due to the out-of-bounds access.

Kernel patches addressing this issue are available in stable branches, including commit 093d27bb6f2d1963f927ef59c9a2d37059175426 and commit a762cee5d933fe4e2e1b773d60fc74fb8248d8c4, which fix the index logic errors and boundary handling in both functions. Security practitioners should ensure affected Linux kernel versions are updated to incorporate these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: power: supply: core: Fix boundary conditions in interpolation The functions power_supply_temp2resist_simple and power_supply_ocv2cap_simple handle boundary conditions incorrectly. The change was introduced in a4585ba2050f460f749bbaf2b67bd56c41e30283 ("power: supply: core: Use library interpolation"). There…

more

are two issues: First, the lines "high = i - 1" and "high = i" in ocv2cap have the wrong order compared to temp2resist. As a consequence, ocv2cap sets high=-1 if ocv>table[0].ocv, which causes an out-of-bounds read. Second, the logic of temp2resist is also not correct. Consider the case table[] = {{20, 100}, {10, 80}, {0, 60}}. For temp=5, we expect a resistance of 70% by interpolation. However, temp2resist sets high=low=2 and returns 60.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel OOB read in power supply interpolation functions directly enables privilege escalation via arbitrary code execution from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · 5.17 — 5.18.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely remediation of identified software flaws, directly addressing the boundary condition errors in the Linux kernel's power supply interpolation functions via available patches.

prevent

Implements memory protection mechanisms that mitigate exploitation of the out-of-bounds read resulting from improper index handling in the affected functions.

prevent

Requires validation of inputs like ocv and temperature values against table boundaries to prevent out-of-bounds access during interpolation.

References