ghsa-wvhc-gh4m-r3j8
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
ASoC: DPCM: Don't pick up BE without substream
When DPCM tries to add valid BE connections at dpcm_add_paths(), it doesn't check whether the picked BE actually supports for the given stream direction. Due to that, when an asymmetric BE stream is present, it picks up wrongly and this may result in a NULL dereference at a later point where the code assumes the existence of a corresponding BE substream.
This patch adds the check for the presence of the substream for the target BE for avoiding the problem above.
Note that we have already some fix for non-existing BE substream at commit 6246f283d5e0 ("ASoC: dpcm: skip missing substream while applying symmetry"). But the code path we've hit recently is rather happening before the previous fix. So this patch tries to fix at picking up a BE instead of parsing BE lists.
{ "affected": [], "aliases": [ "CVE-2022-50049" ], "database_specific": { "cwe_ids": [], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2025-06-18T11:15:33Z", "severity": null }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: DPCM: Don\u0027t pick up BE without substream\n\nWhen DPCM tries to add valid BE connections at dpcm_add_paths(), it\ndoesn\u0027t check whether the picked BE actually supports for the given\nstream direction. Due to that, when an asymmetric BE stream is\npresent, it picks up wrongly and this may result in a NULL dereference\nat a later point where the code assumes the existence of a\ncorresponding BE substream.\n\nThis patch adds the check for the presence of the substream for the\ntarget BE for avoiding the problem above.\n\nNote that we have already some fix for non-existing BE substream at\ncommit 6246f283d5e0 (\"ASoC: dpcm: skip missing substream while\napplying symmetry\"). But the code path we\u0027ve hit recently is rather\nhappening before the previous fix. So this patch tries to fix at\npicking up a BE instead of parsing BE lists.", "id": "GHSA-wvhc-gh4m-r3j8", "modified": "2025-06-18T12:30:45Z", "published": "2025-06-18T12:30:45Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50049" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/6a840e8ef6b6c56d1b7e6a555adc31135e517875" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/754590651ccbbcc74a7c20907be4bb15d642bde3" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/aa803e6ecac78e93b24ebefa17c207d6392d8ad4" } ], "schema_version": "1.4.0", "severity": [] }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.