{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49945","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-06-18T10:57:27.381Z","datePublished":"2025-06-18T11:00:01.037Z","dateUpdated":"2026-05-11T19:09:42.968Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:09:42.968Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (gpio-fan) Fix array out of bounds access\n\nThe driver does not check if the cooling state passed to\ngpio_fan_set_cur_state() exceeds the maximum cooling state as\nstored in fan_data->num_speeds. Since the cooling state is later\nused as an array index in set_fan_speed(), an array out of bounds\naccess can occur.\nThis can be exploited by setting the state of the thermal cooling device\nto arbitrary values, causing for example a kernel oops when unavailable\nmemory is accessed this way.\n\nExample kernel oops:\n[  807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064\n[  807.987369] Mem abort info:\n[  807.987398]   ESR = 0x96000005\n[  807.987428]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  807.987477]   SET = 0, FnV = 0\n[  807.987507]   EA = 0, S1PTW = 0\n[  807.987536]   FSC = 0x05: level 1 translation fault\n[  807.987570] Data abort info:\n[  807.987763]   ISV = 0, ISS = 0x00000005\n[  807.987801]   CM = 0, WnR = 0\n[  807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000\n[  807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[  807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP\n[  807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[  807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G         C        5.15.56-v8+ #1575\n[  807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[  807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan]\n[  807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]\n[  807.988691] sp : ffffffc008cf3bd0\n[  807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000\n[  807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920\n[  807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c\n[  807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000\n[  807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70\n[  807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[  807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c\n[  807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009\n[  807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8\n[  807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060\n[  807.989084] Call trace:\n[  807.989091]  set_fan_speed.part.5+0x34/0x80 [gpio_fan]\n[  807.989113]  gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]\n[  807.989199]  cur_state_store+0x84/0xd0\n[  807.989221]  dev_attr_store+0x20/0x38\n[  807.989262]  sysfs_kf_write+0x4c/0x60\n[  807.989282]  kernfs_fop_write_iter+0x130/0x1c0\n[  807.989298]  new_sync_write+0x10c/0x190\n[  807.989315]  vfs_write+0x254/0x378\n[  807.989362]  ksys_write+0x70/0xf8\n[  807.989379]  __arm64_sys_write+0x24/0x30\n[  807.989424]  invoke_syscall+0x4c/0x110\n[  807.989442]  el0_svc_common.constprop.3+0xfc/0x120\n[  807.989458]  do_el0_svc+0x2c/0x90\n[  807.989473]  el0_svc+0x24/0x60\n[  807.989544]  el0t_64_sync_handler+0x90/0xb8\n[  807.989558]  el0t_64_sync+0x1a0/0x1a4\n[  807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416)\n[  807.989627] ---[ end t\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/hwmon/gpio-fan.c"],"versions":[{"version":"b5cf88e46badea6d600d8515edea23814e03444d","lessThan":"e9f6972ab40a82bd7f6d36800792ba2e084474d8","status":"affected","versionType":"git"},{"version":"b5cf88e46badea6d600d8515edea23814e03444d","lessThan":"3ff866455e1e263a9ac1958095fd440984248e2f","status":"affected","versionType":"git"},{"version":"b5cf88e46badea6d600d8515edea23814e03444d","lessThan":"c8ae6a18708f260ccdeef6ba53af7548457dc26c","status":"affected","versionType":"git"},{"version":"b5cf88e46badea6d600d8515edea23814e03444d","lessThan":"7756eb1ed124753f4d64f761fc3d84290dffcb4d","status":"affected","versionType":"git"},{"version":"b5cf88e46badea6d600d8515edea23814e03444d","lessThan":"517dba798793e69b510779c3cde7224a65f3ed1d","status":"affected","versionType":"git"},{"version":"b5cf88e46badea6d600d8515edea23814e03444d","lessThan":"53196e0376205ed49b75bfd0475af5e0fbd20156","status":"affected","versionType":"git"},{"version":"b5cf88e46badea6d600d8515edea23814e03444d","lessThan":"3263984c7acdcb0658155b05a724ed45a10de76d","status":"affected","versionType":"git"},{"version":"b5cf88e46badea6d600d8515edea23814e03444d","lessThan":"f233d2be38dbbb22299192292983037f01ab363c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/hwmon/gpio-fan.c"],"versions":[{"version":"4.1","status":"affected"},{"version":"0","lessThan":"4.1","status":"unaffected","versionType":"semver"},{"version":"4.9.328","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.293","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.258","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.213","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.142","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.66","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.19.8","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"4.9.328"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"4.14.293"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"4.19.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.4.213"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.10.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.15.66"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.19.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"6.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e9f6972ab40a82bd7f6d36800792ba2e084474d8"},{"url":"https://git.kernel.org/stable/c/3ff866455e1e263a9ac1958095fd440984248e2f"},{"url":"https://git.kernel.org/stable/c/c8ae6a18708f260ccdeef6ba53af7548457dc26c"},{"url":"https://git.kernel.org/stable/c/7756eb1ed124753f4d64f761fc3d84290dffcb4d"},{"url":"https://git.kernel.org/stable/c/517dba798793e69b510779c3cde7224a65f3ed1d"},{"url":"https://git.kernel.org/stable/c/53196e0376205ed49b75bfd0475af5e0fbd20156"},{"url":"https://git.kernel.org/stable/c/3263984c7acdcb0658155b05a724ed45a10de76d"},{"url":"https://git.kernel.org/stable/c/f233d2be38dbbb22299192292983037f01ab363c"}],"title":"hwmon: (gpio-fan) Fix array out of bounds access","x_generator":{"engine":"bippy-1.2.0"}}}}