{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T00:51:29.786","vulnerabilities":[{"cve":{"id":"CVE-2022-49518","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-26T07:01:27.837","lastModified":"2025-10-21T12:07:55.643","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc3-topology: Correct get_control_data for non bytes payload\n\nIt is possible to craft a topology where sof_get_control_data() would do\nout of bounds access because it expects that it is only called when the\npayload is bytes type.\nConfusingly it also handles other types of controls, but the payload\nparsing implementation is only valid for bytes.\n\nFix the code to count the non bytes controls and instead of storing a\npointer to sof_abi_hdr in sof_widget_data (which is only valid for bytes),\nstore the pointer to the data itself and add a new member to save the size\nof the data.\n\nIn case of non bytes controls we store the pointer to the chanv itself,\nwhich is just an array of values at the end.\n\nIn case of bytes control, drop the wrong cdata->data (wdata[i].pdata) check\nagainst NULL since it is incorrect and invalid in this context.\nThe data is pointing to the end of cdata struct, so it should never be\nnull."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: SOF: ipc3-topology: get_control_data correcto para payload que no sea de bytes Es posible crear una topología donde sof_get_control_data() haría acceso fuera de los límites porque espera que solo se llame cuando el payload sea de tipo bytes. Confusamente también maneja otros tipos de controles, pero la implementación del análisis del payload solo es válida para bytes. Corrija el código para contar los controles que no sean de bytes y en lugar de almacenar un puntero a sof_abi_hdr en sof_widget_data (que solo es válido para bytes), almacene el puntero a los datos en sí y agregue un nuevo miembro para guardar el tamaño de los datos. En el caso de controles que no sean de bytes, almacenamos el puntero al chanv en sí, que es solo una matriz de valores al final. En el caso del control de bytes, elimine la comprobación incorrecta cdata->data (wdata[i].pdata) contra NULL ya que es incorrecta e inválida en este contexto. Los datos apuntan al final de la estructura cdata, por lo que nunca deben ser nulos."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"5.18.3","matchCriteriaId":"8E122216-2E9E-4B3E-B7B8-D575A45BA3C2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/896b03bb7c7010042786cfae2115083d4c241dd3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a962890a5a3cce903ff7c7a19fadee63ed9efdc7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}