{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49051", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:49:39.242Z", "datePublished": "2025-02-26T01:54:25.850Z", "dateUpdated": "2025-05-04T08:28:41.831Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:28:41.831Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Fix out-of-bounds accesses in RX fixup\n\naqc111_rx_fixup() contains several out-of-bounds accesses that can be\ntriggered by a malicious (or defective) USB device, in particular:\n\n - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,\n causing OOB reads and (on big-endian systems) OOB endianness flips.\n - A packet can overlap the metadata array, causing a later OOB\n endianness flip to corrupt data used by a cloned SKB that has already\n been handed off into the network stack.\n - A packet SKB can be constructed whose tail is far beyond its end,\n causing out-of-bounds heap data to be considered part of the SKB's\n data.\n\nFound doing variant analysis. Tested it with another driver (ax88179_178a), since\nI don't have a aqc111 device to test it, but the code looks very similar."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/aqc111.c"], "versions": [{"version": "17364b805f5b9016bb528241ba91481e3497e5e1", "lessThan": "404998a137bcb8a926f7c949030afbe285472593", "status": "affected", "versionType": "git"}, {"version": "17364b805f5b9016bb528241ba91481e3497e5e1", "lessThan": "d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7", "status": "affected", "versionType": "git"}, {"version": "17364b805f5b9016bb528241ba91481e3497e5e1", "lessThan": "b416898442f2b6aa9f1b2f2968ce07e3abaa05f7", "status": "affected", "versionType": "git"}, {"version": "17364b805f5b9016bb528241ba91481e3497e5e1", "lessThan": "36311fe98f55dea9200c69e2dd6d6ddb8fc94080", "status": "affected", "versionType": "git"}, {"version": "17364b805f5b9016bb528241ba91481e3497e5e1", "lessThan": "afb8e246527536848b9b4025b40e613edf776a9d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/aqc111.c"], "versions": [{"version": "5.0", "status": "affected"}, {"version": "0", "lessThan": "5.0", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.190", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.112", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.35", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.4", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.4.190"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.10.112"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.15.35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.17.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593"}, {"url": "https://git.kernel.org/stable/c/d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7"}, {"url": "https://git.kernel.org/stable/c/b416898442f2b6aa9f1b2f2968ce07e3abaa05f7"}, {"url": "https://git.kernel.org/stable/c/36311fe98f55dea9200c69e2dd6d6ddb8fc94080"}, {"url": "https://git.kernel.org/stable/c/afb8e246527536848b9b4025b40e613edf776a9d"}], "title": "net: usb: aqc111: Fix out-of-bounds accesses in RX fixup", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "59F40C4F-515F-423C-9109-695C6F8EA578", "versionEndExcluding": "5.4.190", "versionStartIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0460A5D2-3024-497A-B799-23E025B91972", "versionEndExcluding": "5.10.112", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "05ABCC3F-88A9-47F9-9D40-8665747B2E43", "versionEndExcluding": "5.15.35", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E22C86CB-06CD-4D16-AB2A-F21EE8199262", "versionEndExcluding": "5.17.4", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*", "matchCriteriaId": "6AD94161-84BB-42E6-9882-4FC0C42E9FC1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Fix out-of-bounds accesses in RX fixup\n\naqc111_rx_fixup() contains several out-of-bounds accesses that can be\ntriggered by a malicious (or defective) USB device, in particular:\n\n - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,\n causing OOB reads and (on big-endian systems) OOB endianness flips.\n - A packet can overlap the metadata array, causing a later OOB\n endianness flip to corrupt data used by a cloned SKB that has already\n been handed off into the network stack.\n - A packet SKB can be constructed whose tail is far beyond its end,\n causing out-of-bounds heap data to be considered part of the SKB's\n data.\n\nFound doing variant analysis. Tested it with another driver (ax88179_178a), since\nI don't have a aqc111 device to test it, but the code looks very similar."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: usb: aqc111: Arreglar accesos fuera de los l\u00edmites en RX fixup aqc111_rx_fixup() contiene varios accesos fuera de los l\u00edmites que pueden ser activados por un dispositivo USB malicioso (o defectuoso), en particular: - La matriz de metadatos (desc_offset..desc_offset+2*pkt_count) puede estar fuera de los l\u00edmites, causando lecturas OOB y (en sistemas big-endian) cambios de endianness OOB. - Un paquete puede superponerse a la matriz de metadatos, causando que un cambio de endianness OOB posterior corrompa los datos utilizados por un SKB clonado que ya se ha entregado a la pila de red. - Se puede construir un SKB de paquete cuya cola est\u00e9 mucho m\u00e1s all\u00e1 de su final, causando que los datos del mont\u00f3n fuera de los l\u00edmites se consideren parte de los datos del SKB. Se encontr\u00f3 haciendo an\u00e1lisis de variantes. Lo prob\u00e9 con otro controlador (ax88179_178a), ya que no tengo un dispositivo aqc111 para probarlo, pero el c\u00f3digo parece muy similar."}], "id": "CVE-2022-49051", "lastModified": "2025-09-23T18:28:45.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:00:42.363", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36311fe98f55dea9200c69e2dd6d6ddb8fc94080"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/afb8e246527536848b9b4025b40e613edf776a9d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b416898442f2b6aa9f1b2f2968ce07e3abaa05f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: usb: aqc111: Fix out-of-bounds accesses in RX fixup", "id": "2347990", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347990"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: usb: aqc111: Fix out-of-bounds accesses in RX fixup\naqc111_rx_fixup() contains several out-of-bounds accesses that can be\ntriggered by a malicious (or defective) USB device, in particular:\n- The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,\ncausing OOB reads and (on big-endian systems) OOB endianness flips.\n- A packet can overlap the metadata array, causing a later OOB\nendianness flip to corrupt data used by a cloned SKB that has already\nbeen handed off into the network stack.\n- A packet SKB can be constructed whose tail is far beyond its end,\ncausing out-of-bounds heap data to be considered part of the SKB's\ndata.\nFound doing variant analysis. Tested it with another driver (ax88179_178a), since\nI don't have a aqc111 device to test it, but the code looks very similar."], "name": "CVE-2022-49051", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49051\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49051\nhttps://lore.kernel.org/linux-cve-announce/2025022651-CVE-2022-49051-08bd@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-07-12T22:23:53.184785+00:00", "updated": "2025-07-12T22:23:53.184847+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}