CVE-2022-49772 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open()

snd_usbmidi_output_open() has a check of the NULL port with snd_BUG_ON(). snd_BUG_ON() was used as this shouldn't have happened, but in reality, the NULL port may be seen when the device gives an invalid endpoint setup at the descriptor, hence the driver skips the allocation. That is, the check itself is valid and snd_BUG_ON() should be dropped from there. Otherwise it's confusing as if it were a real bug, as recently syzbot stumbled on it.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/07/2025

The vulnerability identified as CVE-2022-49772 affects the Linux kernel's ALSA USB audio subsystem, specifically within the snd_usbmidi_output_open() function. This issue represents a case where defensive programming practices have been misapplied, leading to misleading error reporting and potential operational confusion. The flaw exists in the USB audio driver's handling of device endpoint descriptors, where the kernel attempts to validate port allocation during MIDI output initialization.

The technical implementation involves the use of snd_BUG_ON() macro within the snd_usbmidi_output_open() function, which serves as a debugging assertion that should trigger a kernel panic when a condition evaluates to true. However, this particular usage is problematic because the NULL port check is not actually a bug condition but rather a legitimate scenario that can occur during device enumeration. When USB devices present invalid endpoint setup descriptors, the driver legitimately skips port allocation and returns a NULL port, which is a valid operational state rather than a kernel error condition.

This misapplication of kernel debugging macros creates a significant operational impact as it generates false positive error reports that can confuse system administrators and automated monitoring tools. The vulnerability was discovered through syzbot, an automated bug finding system that monitors kernel stability, indicating that this issue can manifest in real-world scenarios involving malformed USB audio device descriptors. The confusion arises because snd_BUG_ON() is typically reserved for conditions that should never occur under normal circumstances, whereas the NULL port scenario represents a legitimate edge case in device driver behavior.

The resolution involves removing the snd_BUG_ON() check from snd_usbmidi_output_open() since the validation itself is correct but the assertion mechanism is inappropriate. This change aligns with proper kernel development practices where legitimate error conditions should be handled gracefully rather than triggering kernel panics. The fix addresses a CWE-754 weakness related to improper handling of error conditions and aligns with ATT&CK technique T1489 which involves system network configuration modification through kernel-level operations. This vulnerability demonstrates the importance of proper error handling in kernel drivers and the distinction between actual kernel bugs and expected operational edge cases that require graceful degradation rather than system termination.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00166

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!