CVE-2022-49792 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

iio: adc: mp2629: fix potential array out of bound access

Add sentinel at end of maps to avoid potential array out of bound access in iio core.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 11/07/2025

The vulnerability CVE-2022-49792 addresses a critical array out of bounds access issue within the Linux kernel's industrial I/O (IIO) subsystem, specifically affecting the mp2629 ADC driver. This flaw exists in the kernel's handling of device property mappings and represents a classic buffer overflow vulnerability that could potentially lead to system instability or privilege escalation. The mp2629 is a power management IC that includes an analog-to-digital converter, commonly used in embedded systems and mobile devices for monitoring power delivery and system health. The vulnerability stems from improper boundary checking when the IIO core processes device property maps, creating an opportunity for attackers to manipulate memory access patterns that could result in unauthorized code execution or denial of service conditions.

The technical implementation of this vulnerability occurs within the IIO subsystem's device property handling mechanism where arrays containing device configuration mappings are accessed without proper bounds validation. When the kernel processes device properties for the mp2629 ADC, it iterates through predefined mapping tables to configure the device's operational parameters. Without proper sentinel values at the end of these mapping arrays, the kernel's IIO core may continue accessing memory beyond the intended array boundaries, potentially reading or writing to adjacent memory locations. This type of vulnerability falls under CWE-129, which specifically addresses insufficient bounds checking, and represents a common class of memory safety issues that can be exploited through carefully crafted input data or device configuration parameters.

The operational impact of CVE-2022-49792 extends beyond simple memory corruption, as it affects systems that rely on the IIO subsystem for hardware monitoring and power management functions. Devices utilizing the mp2629 ADC, including smartphones, tablets, embedded systems, and IoT devices, could experience system crashes, unexpected behavior, or potential privilege escalation if exploited. The vulnerability is particularly concerning in mobile and embedded environments where the kernel's IIO subsystem handles critical power management functions and where attackers might leverage this flaw to gain elevated privileges. Additionally, systems that use the IIO subsystem for real-time monitoring and control could face denial of service conditions that would disrupt normal operation and potentially lead to safety-critical failures in industrial applications.

The fix implemented for this vulnerability involves adding sentinel values at the end of device property mapping arrays, which serves as a standard defensive programming technique to prevent out of bounds access. This approach aligns with the ATT&CK framework's defensive techniques for preventing memory corruption vulnerabilities, specifically addressing the pattern of insufficient input validation that leads to buffer overflows. The mitigation strategy requires updating the Linux kernel to a version containing the patched mp2629 ADC driver implementation, where sentinel values are properly placed within the mapping tables to ensure that array access operations terminate correctly. System administrators should prioritize kernel updates, particularly in production environments where embedded systems or mobile devices utilizing the mp2629 ADC are deployed, as this vulnerability could be exploited in targeted attacks against vulnerable device fleets. The fix demonstrates the importance of proper array boundary management in kernel space code and reinforces the need for comprehensive input validation in system-level software components that handle device configuration data.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00170

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!