{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T04:06:26.277","vulnerabilities":[{"cve":{"id":"CVE-2022-49292","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-26T07:01:06.047","lastModified":"2025-09-22T19:44:21.193","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: oss: Fix PCM OSS buffer allocation overflow\n\nWe've got syzbot reports hitting INT_MAX overflow at vmalloc()\nallocation that is called from snd_pcm_plug_alloc().  Although we\napply the restrictions to input parameters, it's based only on the\nhw_params of the underlying PCM device.  Since the PCM OSS layer\nallocates a temporary buffer for the data conversion, the size may\nbecome unexpectedly large when more channels or higher rates is given;\nin the reported case, it went over INT_MAX, hence it hits WARN_ON().\n\nThis patch is an attempt to avoid such an overflow and an allocation\nfor too large buffers.  First off, it adds the limit of 1MB as the\nupper bound for period bytes.  This must be large enough for all use\ncases, and we really don't want to handle a larger temporary buffer\nthan this size.  The size check is performed at two places, where the\noriginal period bytes is calculated and where the plugin buffer size\nis calculated.\n\nIn addition, the driver uses array_size() and array3_size() for\nmultiplications to catch overflows for the converted period size and\nbuffer bytes."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: oss: Fix PCM OSS buffer assignment overflow Tenemos informes de syzbot que alcanzan un desbordamiento de INT_MAX en la asignación de vmalloc() que se llama desde snd_pcm_plug_alloc(). Aunque aplicamos las restricciones a los parámetros de entrada, se basa solo en hw_params del dispositivo PCM subyacente. Dado que la capa PCM OSS asigna un búfer temporal para la conversión de datos, el tamaño puede volverse inesperadamente grande cuando se dan más canales o velocidades más altas; en el caso informado, superó INT_MAX, por lo tanto, alcanza WARN_ON(). Este parche es un intento de evitar dicho desbordamiento y una asignación para búferes demasiado grandes. En primer lugar, agrega el límite de 1 MB como límite superior para bytes de período. Esto debe ser lo suficientemente grande para todos los casos de uso, y realmente no queremos manejar un búfer temporal más grande que este tamaño. La comprobación del tamaño se realiza en dos lugares: donde se calculan los bytes del período original y donde se calcula el tamaño del búfer del complemento. Además, el controlador utiliza array_size() y array3_size() para las multiplicaciones con el fin de detectar desbordamientos en el tamaño del período convertido y los bytes del búfer."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.237","matchCriteriaId":"917826D9-6AD8-4E95-A09E-944D011A1B3B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.188","matchCriteriaId":"670BCB59-E3C8-496D-BD17-297C113776FA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.109","matchCriteriaId":"F3E1A428-8D87-4CD4-B9CA-C621B32933F8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.32","matchCriteriaId":"3191B916-53BD-46E6-AE21-58197D35768E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"5.16.18","matchCriteriaId":"C86410A0-E312-4F41-93E9-929EAFB31757"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.17:*:*:*:*:*:*:*","matchCriteriaId":"35799228-BFF6-4426-AD3B-F452EA83320F"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0c4190b41a69990666b4000999e27f8f1b2a426b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5ce74ff7059341d8b2f4d01c3383491df63d1898","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7a40cbf3579a8e14849ba7ce46309c1992658d2b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a63af1baf0a5e11827db60e3127f87e437cab6e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e74a069c6a7bb505f3ade141dddf85f4b0b5145a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/efb6402c3c4a7c26d97c92d70186424097b6e366","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fb08bf99195a87c798bc8ae1357337a981faeade","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}