CVE-2022-49051

MEDIUM EPSS 32.8%
Published Feb 26, 20251y ago · Modified Jun 17, 20261w ago
6.8 CVSS 3.1
Medium
Find Similar
Published Feb 26, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Fix out-of-bounds accesses in RX fixup aqc111_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack. - A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB's data. Found doing variant analysis. Tested it with another driver (ax88179_178a), since I don't have a aqc111 device to test it, but the code looks very similar.

CVSS Details

Base Score
6.8
Exploitability
0.9
Impact
5.9
Vector string
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Physical
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
32.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-125 Out-of-bounds Read Memory Safety
CWE-787 Out-of-bounds Write Memory Safety

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥5.0  –  <5.4.190
linuxlinux_kernel*≥5.5  –  <5.10.112
linuxlinux_kernel*≥5.11  –  <5.15.35
linuxlinux_kernel*≥5.16  –  <5.17.4
linuxlinux_kernel5.18any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/36311fe98f55dea9200c69e2dd6d6ddb8fc94080
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/afb8e246527536848b9b4025b40e613edf776a9d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b416898442f2b6aa9f1b2f2968ce07e3abaa05f7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/36311fe98f55dea9200c69e2dd6d6ddb8fc94080
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/afb8e246527536848b9b4025b40e613edf776a9d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b416898442f2b6aa9f1b2f2968ce07e3abaa05f7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7
    Patch