CVE-2022-49291: ALSA: pcm: Fix races among concurrent hw_params and hw_free calls
First published: Wed Feb 26 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent hw_params and hw_free calls Currently we have neither proper check nor protection against the concurrent calls of PCM hw_params and hw_free ioctls, which may result in a UAF. Since the existing PCM stream lock can't be used for protecting the whole ioctl operations, we need a new mutex to protect those racy calls. This patch introduced a new mutex, runtime->buffer_mutex, and applies it to both hw_params and hw_free ioctl code paths. Along with it, the both functions are slightly modified (the mmap_count check is moved into the state-check block) for code simplicity.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| Linux Kernel | <4.14.279 | |
| Linux Kernel | >=4.15<4.19.243 | |
| Linux Kernel | >=4.20<5.4.193 | |
| Linux Kernel | >=5.5<5.10.109 | |
| Linux Kernel | >=5.11<5.15.32 | |
| Linux Kernel | >=5.16<5.16.18 | |
| Linux Kernel | >=5.17<5.17.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/a42aa926843acca96c0dfbde2e835b8137f2f092
- https://git.kernel.org/stable/c/9cb6c40a6ebe4a0cfc9d6a181958211682cffea9
- https://git.kernel.org/stable/c/fbeb492694ce0441053de57699e1e2b7bc148a69
- https://git.kernel.org/stable/c/0f6947f5f5208f6ebd4d76a82a4757e2839a23f8
- https://git.kernel.org/stable/c/33061d0fba51d2bf70a2ef9645f703c33fe8e438
- https://git.kernel.org/stable/c/0090c13cbbdffd7da079ac56f80373a9a1be0bf8
- https://git.kernel.org/stable/c/1bbf82d9f961414d6c76a08f7f843ea068e0ab7b
- https://git.kernel.org/stable/c/92ee3c60ec9fe64404dc035e7c41277d74aa26cb
Frequently Asked Questions
What is the severity of CVE-2022-49291?
CVE-2022-49291 has been classified as a high severity vulnerability due to the potential for a use-after-free condition.
How do I fix CVE-2022-49291?
To fix CVE-2022-49291, update the Linux kernel to a version that includes the patch addressing the race conditions in ALSA PCM.
Which versions of the Linux kernel are affected by CVE-2022-49291?
CVE-2022-49291 affects multiple versions of the Linux kernel, particularly those up to 4.14.279 and in the ranges of 4.15 to 4.19.243, 4.20 to 5.4.193, 5.5 to 5.10.109, 5.11 to 5.15.32, 5.16 to 5.16.18, and 5.17 to 5.17.1.
What components are impacted by CVE-2022-49291?
CVE-2022-49291 specifically impacts the ALSA PCM subsystem in the Linux kernel.
Is CVE-2022-49291 exploitable remotely?
CVE-2022-49291 may be exploited locally, particularly by processes with sufficient privileges to invoke ALSA PCM functionality.
- agent/first-publish-date
- agent/type
- agent/title
- agent/references
- agent/author
- agent/source
- agent/description
- agent/weakness
- agent/severity
- agent/guess-ai
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.15
- version/linux kernel/4.20
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/5.17