{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-01T14:19:39.016","vulnerabilities":[{"cve":{"id":"CVE-2022-49051","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-26T07:00:42.363","lastModified":"2025-09-23T18:28:45.417","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Fix out-of-bounds accesses in RX fixup\n\naqc111_rx_fixup() contains several out-of-bounds accesses that can be\ntriggered by a malicious (or defective) USB device, in particular:\n\n - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,\n   causing OOB reads and (on big-endian systems) OOB endianness flips.\n - A packet can overlap the metadata array, causing a later OOB\n   endianness flip to corrupt data used by a cloned SKB that has already\n   been handed off into the network stack.\n - A packet SKB can be constructed whose tail is far beyond its end,\n   causing out-of-bounds heap data to be considered part of the SKB's\n   data.\n\nFound doing variant analysis. Tested it with another driver (ax88179_178a), since\nI don't have a aqc111 device to test it, but the code looks very similar."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: usb: aqc111: Arreglar accesos fuera de los límites en RX fixup aqc111_rx_fixup() contiene varios accesos fuera de los límites que pueden ser activados por un dispositivo USB malicioso (o defectuoso), en particular: - La matriz de metadatos (desc_offset..desc_offset+2*pkt_count) puede estar fuera de los límites, causando lecturas OOB y (en sistemas big-endian) cambios de endianness OOB. - Un paquete puede superponerse a la matriz de metadatos, causando que un cambio de endianness OOB posterior corrompa los datos utilizados por un SKB clonado que ya se ha entregado a la pila de red. - Se puede construir un SKB de paquete cuya cola esté mucho más allá de su final, causando que los datos del montón fuera de los límites se consideren parte de los datos del SKB. Se encontró haciendo análisis de variantes. Lo probé con otro controlador (ax88179_178a), ya que no tengo un dispositivo aqc111 para probarlo, pero el código parece muy similar."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"PHYSICAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":0.9,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"},{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.4.190","matchCriteriaId":"59F40C4F-515F-423C-9109-695C6F8EA578"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.112","matchCriteriaId":"0460A5D2-3024-497A-B799-23E025B91972"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.35","matchCriteriaId":"05ABCC3F-88A9-47F9-9D40-8665747B2E43"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"5.17.4","matchCriteriaId":"E22C86CB-06CD-4D16-AB2A-F21EE8199262"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*","matchCriteriaId":"6AD94161-84BB-42E6-9882-4FC0C42E9FC1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/36311fe98f55dea9200c69e2dd6d6ddb8fc94080","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/afb8e246527536848b9b4025b40e613edf776a9d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b416898442f2b6aa9f1b2f2968ce07e3abaa05f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d90df6da50c56ad8b1a132e3cf86b6cdf8f507b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}