{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49051","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.242Z","datePublished":"2025-02-26T01:54:25.850Z","dateUpdated":"2025-05-04T08:28:41.831Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:28:41.831Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Fix out-of-bounds accesses in RX fixup\n\naqc111_rx_fixup() contains several out-of-bounds accesses that can be\ntriggered by a malicious (or defective) USB device, in particular:\n\n - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,\n   causing OOB reads and (on big-endian systems) OOB endianness flips.\n - A packet can overlap the metadata array, causing a later OOB\n   endianness flip to corrupt data used by a cloned SKB that has already\n   been handed off into the network stack.\n - A packet SKB can be constructed whose tail is far beyond its end,\n   causing out-of-bounds heap data to be considered part of the SKB's\n   data.\n\nFound doing variant analysis. Tested it with another driver (ax88179_178a), since\nI don't have a aqc111 device to test it, but the code looks very similar."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/usb/aqc111.c"],"versions":[{"version":"17364b805f5b9016bb528241ba91481e3497e5e1","lessThan":"404998a137bcb8a926f7c949030afbe285472593","status":"affected","versionType":"git"},{"version":"17364b805f5b9016bb528241ba91481e3497e5e1","lessThan":"d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7","status":"affected","versionType":"git"},{"version":"17364b805f5b9016bb528241ba91481e3497e5e1","lessThan":"b416898442f2b6aa9f1b2f2968ce07e3abaa05f7","status":"affected","versionType":"git"},{"version":"17364b805f5b9016bb528241ba91481e3497e5e1","lessThan":"36311fe98f55dea9200c69e2dd6d6ddb8fc94080","status":"affected","versionType":"git"},{"version":"17364b805f5b9016bb528241ba91481e3497e5e1","lessThan":"afb8e246527536848b9b4025b40e613edf776a9d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/usb/aqc111.c"],"versions":[{"version":"5.0","status":"affected"},{"version":"0","lessThan":"5.0","status":"unaffected","versionType":"semver"},{"version":"5.4.190","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.112","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.35","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.17.4","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.4.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.10.112"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.15.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.17.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593"},{"url":"https://git.kernel.org/stable/c/d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7"},{"url":"https://git.kernel.org/stable/c/b416898442f2b6aa9f1b2f2968ce07e3abaa05f7"},{"url":"https://git.kernel.org/stable/c/36311fe98f55dea9200c69e2dd6d6ddb8fc94080"},{"url":"https://git.kernel.org/stable/c/afb8e246527536848b9b4025b40e613edf776a9d"}],"title":"net: usb: aqc111: Fix out-of-bounds accesses in RX fixup","x_generator":{"engine":"bippy-1.2.0"}}}}