CVE-2022-48701

ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and the number of it's interfaces less than 4, an out-of-bounds read bug occurs when parsing the interface descriptor for this device. Fix this by checking the number of interfaces.

Category

7.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.05%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/b970518014f2f0f6c493fb86c1e092b936899061 patch
https://git.kernel.org/stable/c/91904870370fd986c29719846ed76d559de43251 patch
https://git.kernel.org/stable/c/2a308e415d247a23d4d64c964c02e782eede2936 patch
https://git.kernel.org/stable/c/0492798bf8dfcc09c9337a1ba065da1d1ca68712 patch
https://git.kernel.org/stable/c/6123bec8480d23369e2ee0b2208611619f269faf patch
https://git.kernel.org/stable/c/98e8e67395cc6d0cdf3a771f86ea42d0ee6e59dd patch
https://git.kernel.org/stable/c/8293e61bbf908b18ff9935238d4fc2ad359e3fe0 patch
https://git.kernel.org/stable/c/e53f47f6c1a56d2af728909f1cb894da6b43d9bf patch

Frequently Asked Questions

What is the severity of CVE-2022-48701?
CVE-2022-48701 has been scored as a high severity vulnerability.
How to fix CVE-2022-48701?
To fix CVE-2022-48701, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-48701 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-48701 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-48701?
CVE-2022-48701 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.