CVE-2022-48702 in Linux
Summary
by MITRE • 05/03/2024
In the Linux kernel, the following vulnerability has been resolved:
ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()
The voice allocator sometimes begins allocating from near the end of the array and then wraps around, however snd_emu10k1_pcm_channel_alloc() accesses the newly allocated voices as if it never wrapped around.
This results in out of bounds access if the first voice has a high enough index so that first_voice + requested_voice_count > NUM_G (64). The more voices are requested, the more likely it is for this to occur.
This was initially discovered using PipeWire, however it can be reproduced by calling aplay multiple times with 16 channels: aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero
UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 index 65 is out of range for type 'snd_emu10k1_voice [64]'
CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 Call Trace:
dump_stack_lvl+0x49/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x3f __ubsan_handle_out_of_bounds.cold+0x44/0x49 snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]
snd_pcm_hw_params+0x29f/0x600 [snd_pcm]
snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]
? exit_to_user_mode_prepare+0x35/0x170 ? do_syscall_64+0x69/0x90 ? syscall_exit_to_user_mode+0x26/0x50 ? do_syscall_64+0x69/0x90 ? exit_to_user_mode_prepare+0x35/0x170 snd_pcm_ioctl+0x27/0x40 [snd_pcm]
__x64_sys_ioctl+0x95/0xd0 do_syscall_64+0x5c/0x90 ? do_syscall_64+0x69/0x90 ? do_syscall_64+0x69/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/29/2025
The vulnerability CVE-2022-48702 represents a critical out-of-bounds memory access flaw within the Linux kernel's ALSA subsystem, specifically affecting the emu10k1 driver used for audio processing. This issue manifests in the snd_emu10k1_pcm_channel_alloc() function where the voice allocator logic fails to properly handle array wrapping behavior during channel allocation. The flaw occurs when the allocator begins allocating voices from near the end of the 64-element voice array and then wraps around to the beginning, but the subsequent code accesses these voices without accounting for this wraparound condition.
The technical implementation of this vulnerability stems from improper bounds checking in the voice allocation algorithm. When the first voice index plus the requested voice count exceeds the maximum array size of 64 elements, the code attempts to access memory beyond the allocated array boundaries. This results in a classic buffer overflow condition that UBSAN (Undefined Behavior Sanitizer) detects and reports as an array-index-out-of-bounds error. The vulnerability is particularly concerning because it can be triggered through normal audio operations using the aplay command with multiple channels, making it exploitable in legitimate audio processing scenarios.
The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a potential pathway for privilege escalation and system instability. The flaw affects the emu10k1 audio driver which is commonly used in professional audio equipment and gaming systems, making it a significant concern for both desktop and embedded systems. The vulnerability is classified under CWE-129, which addresses insufficient bounds checking, and aligns with ATT&CK technique T1068, which covers local privilege escalation through kernel vulnerabilities. Attackers could potentially leverage this flaw to execute arbitrary code with kernel privileges, leading to complete system compromise.
The mitigation strategy for CVE-2022-48702 requires immediate kernel updates that patch the voice allocation logic in the emu10k1 driver. The fix must ensure proper bounds checking that accounts for array wrapping behavior during voice allocation operations, preventing access to memory beyond the 64-element voice array. System administrators should prioritize applying the patched kernel versions and monitor for any potential denial-of-service conditions that might occur during the update process. Additionally, implementing runtime protections such as kernel address space layout randomization and stack canaries can provide additional defense-in-depth measures against exploitation attempts. Organizations using affected hardware should also consider temporarily disabling the emu10k1 driver if immediate patching is not feasible, while monitoring system logs for any signs of exploitation attempts.