CVE-2022-49031 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
iio: health: afe4403: Fix oob read in afe4403_read_raw
KASAN report out-of-bounds read as follows:
BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 Read of size 4 at addr ffffffffc02ac638 by task cat/279
Call Trace: afe4403_read_raw iio_read_channel_info dev_attr_show
The buggy address belongs to the variable: afe4403_channel_leds+0x18/0xffffffffffffe9e0
This issue can be reproduced by singe command:
$ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw
The array size of afe4403_channel_leds is less than channels, so access with chan->address cause OOB read in afe4403_read_raw. Fix it by moving access before use it.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/19/2026
The vulnerability CVE-2022-49031 represents a critical out-of-bounds read flaw in the Linux kernel's Industrial I/O (IIO) subsystem, specifically within the afe4403 driver that manages medical sensor hardware. This issue occurs in the afe4403_read_raw function where the kernel attempts to access memory beyond the allocated bounds of the afe4403_channel_leds array. The vulnerability manifests as a global out-of-bounds read with KASAN reporting a read of size 4 at address ffffffffc02ac638, indicating a serious memory corruption scenario that could potentially lead to system instability or privilege escalation. The flaw is classified under CWE-129 as an "Improper Validation of Array Index" and aligns with ATT&CK technique T1068 for privilege escalation through kernel vulnerabilities.
The technical implementation of this vulnerability stems from improper bounds checking within the driver's channel handling logic. The afe4403_channel_leds array has insufficient size relative to the number of channels being processed, causing the code to access memory locations beyond the array's legitimate boundaries when chan->address is used to index into the array. The kernel's memory management system detects this violation through KASAN (Kernel Address Sanitizer) which provides detailed call trace information showing the execution path from the user-space command cat /sys/bus/spi/devices/spi0.0/iio:device0/in_intensity6_raw directly to the vulnerable afe4403_read_raw function. The specific memory access pattern demonstrates a classic buffer overflow condition where the array index calculation results in an address that lies outside the valid memory range allocated for afe4403_channel_leds.
The operational impact of this vulnerability extends beyond simple memory corruption as it presents a potential attack surface for malicious actors seeking to exploit kernel-level weaknesses. When a user or process accesses the specific sysfs interface for the afe4403 sensor device, the out-of-bounds read can cause system crashes, data corruption, or potentially enable privilege escalation attacks depending on the system configuration. The vulnerability is particularly concerning in embedded systems or medical devices where the Linux kernel's IIO subsystem interfaces directly with sensitive hardware components, as it could compromise device integrity and data accuracy. The flaw represents a fundamental security weakness in how the driver handles channel enumeration and memory access patterns, creating potential for both denial-of-service and more serious exploitation scenarios.
Mitigation strategies for CVE-2022-49031 should focus on implementing proper bounds checking and array validation within the kernel driver code. The fix requires moving the array access operation before the variable usage to ensure proper validation occurs prior to memory access. System administrators should apply the kernel patch that resolves this vulnerability immediately, as the issue affects all systems running affected kernel versions with the afe4403 driver enabled. Additionally, implementing runtime monitoring through kernel security modules and maintaining updated kernel versions with proper security patches will help prevent exploitation of similar vulnerabilities. Organizations should also consider implementing network segmentation and access controls for systems that expose IIO device interfaces to limit potential attack vectors, while regular security audits of kernel modules should be conducted to identify and remediate similar out-of-bounds access patterns that could exist in other drivers within the IIO subsystem.