Linux Kernel up to 5.10.120/5.15.45/5.17.13/5.18.2 usb-audio privilege escalation

Summaryinfo

A vulnerability identified as problematic has been detected in Linux Kernel up to 5.10.120/5.15.45/5.17.13/5.18.2. This affects an unknown part of the component usb-audio. This manipulation causes an unknown weakness. This vulnerability is registered as CVE-2022-49545. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic was found in Linux Kernel up to 5.10.120/5.15.45/5.17.13/5.18.2. Affected by this vulnerability is some unknown functionality of the component usb-audio. The impact remains unknown. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Cancel pending work at closing a MIDI substream At closing a USB MIDI output substream, there might be still a pending work, which would eventually access the rawmidi runtime object that is being released. For fixing the race, make sure to cancel the pending work at closing.

The advisory is shared at git.kernel.org. This vulnerability is known as CVE-2022-49545 since 02/26/2025. The exploitation appears to be difficult. Neither technical details nor an exploit are publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 234484 (SUSE SLES15 Security Update : kernel (SUSE-SU-2025:1263-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 5.10.121, 5.15.46, 5.17.14 or 5.18.3 eliminates this vulnerability. Applying the patch 40bdb5ec957aca5c5c1924602bef6b0ab18e22d3/11868ca21585561659c2575b0d6508ef8e9c4291/5e5fe2b6065541c6216a7a003b0cddf386be0d2d/517dcef4d2dda0132648f1e4c079ed17bba4d1a4/0125de38122f0f66bf61336158d12a1aabfe6425 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (234484). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 5.10.120
• 5.15.0
• 5.15.1
• 5.15.2
• 5.15.3
• 5.15.4
• 5.15.5
• 5.15.6
• 5.15.7
• 5.15.8
• 5.15.9
• 5.15.10
• 5.15.11
• 5.15.12
• 5.15.13
• 5.15.14
• 5.15.15
• 5.15.16
• 5.15.17
• 5.15.18
• 5.15.19
• 5.15.20
• 5.15.21
• 5.15.22
• 5.15.23
• 5.15.24
• 5.15.25
• 5.15.26
• 5.15.27
• 5.15.28
• 5.15.29
• 5.15.30
• 5.15.31
• 5.15.32
• 5.15.33
• 5.15.34
• 5.15.35
• 5.15.36
• 5.15.37
• 5.15.38
• 5.15.39
• 5.15.40
• 5.15.41
• 5.15.42
• 5.15.43
• 5.15.44
• 5.15.45
• 5.17.0
• 5.17.1
• 5.17.2
• 5.17.3
• 5.17.4
• 5.17.5
• 5.17.6
• 5.17.7
• 5.17.8
• 5.17.9
• 5.17.10
• 5.17.11
• 5.17.12
• 5.17.13
• 5.18.0
• 5.18.1
• 5.18.2

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion