CVE-2022-49733: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
First published: Sun Mar 02 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC There is a small race window at snd_pcm_oss_sync() that is called from OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls snd_pcm_oss_make_ready() at first, then takes the params_lock mutex for the rest. When the stream is set up again by another thread between them, it leads to inconsistency, and may result in unexpected results such as NULL dereference of OSS buffer as a fuzzer spotted recently. The fix is simply to cover snd_pcm_oss_make_ready() call into the same params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| <5.4.215 | ||
| >=5.5<5.10.148 | ||
| >=5.11<5.15.68 | ||
| >=5.16<5.19.9 | ||
| =6.0-rc1 | ||
| =6.0-rc2 | ||
| =6.0-rc3 | ||
| =6.0-rc4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/4051324a6dafd7053c74c475e80b3ba10ae672b0
- https://git.kernel.org/stable/c/fce793a056c604b41a298317cf704dae255f1b36
- https://git.kernel.org/stable/c/8015ef9e8a0ee5cecfd0cb6805834d007ab26f86
- https://git.kernel.org/stable/c/723ac5ab2891b6c10dd6cc78ef5456af593490eb
- https://git.kernel.org/stable/c/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d
Frequently Asked Questions
What is the severity of CVE-2022-49733?
CVE-2022-49733 is classified as a medium-severity vulnerability in the Linux kernel.
How do I fix CVE-2022-49733?
To fix CVE-2022-49733, update your Linux kernel to the latest patched version provided by your distribution.
What impact does CVE-2022-49733 have on systems?
CVE-2022-49733 could lead to potential race conditions affecting the ALSA PCM layer, which may disrupt audio processing.
Is CVE-2022-49733 exploitable remotely?
CVE-2022-49733 is not easily exploitable remotely, as it requires local access to the system.
Which versions of the Linux Kernel are affected by CVE-2022-49733?
CVE-2022-49733 affects multiple versions of the Linux Kernel prior to the fix; specific versions should be verified based on your system.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/type
- agent/references
- agent/first-publish-date
- agent/description
- agent/author
- agent/source
- agent/weakness
- agent/remedy
- agent/severity
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup-request
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.0-rc1
- version/linux kernel/6.0-rc2
- version/linux kernel/6.0-rc3
- version/linux kernel/6.0-rc4