LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49733: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC There is a small race window at snd_pcm_oss_sync() that is called from OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls snd_pcm_oss_make_ready() at first, then takes the params_lock mutex for the rest. When the stream is set up again by another thread between them, it leads to inconsistency, and may result in unexpected results such as NULL dereference of OSS buffer as a fuzzer spotted recently. The fix is simply to cover snd_pcm_oss_make_ready() call into the same params_lock mutex with snd_pcm_oss_make_ready_locked() variant.

MediumCVSS 4.7Not KEV-listedUpdated
Glexia's Takemoderate

Analyst readout for executives and security teams

Plain-English summary

CVE-2022-49733 is a Linux kernel ALSA OSS audio compatibility bug. A local, low-privileged user could trigger a race during audio sync handling, potentially crashing the system. It is not remotely reachable, requires timing, and the bundle does not show known active exploitation.

Executive priority

Treat as a moderate availability risk. It is not a remote compromise path, but a local crash primitive can still matter on shared Linux hosts, developer workstations, and multi-tenant workload environments.

Technical view

The flaw is a race in snd_pcm_oss_sync() for the SNDCTL_DSP_SYNC ioctl. snd_pcm_oss_make_ready() ran before params_lock, allowing another thread to reconfigure the stream and create inconsistent state, including possible NULL dereference of the OSS buffer. The fix moves readiness handling under the same mutex.

Likely exposure

Exposure is mainly Linux systems with vulnerable kernels and ALSA OSS PCM compatibility reachable by local users or local workloads. Systems without local untrusted users are lower risk. Distribution-specific package status must be verified separately.

Exploitation context

The CVSS vector is local, high complexity, low privilege, no user interaction, with high availability impact. The source bundle says a fuzzer observed the issue. KEV is false, and no cited source states active exploitation.

Researcher notes

Evidence supports a concurrency bug fixed by locking around OSS PCM readiness handling. Affected version data in the bundle is sparse and commit-oriented, so exact exposure should be resolved through distro kernel advisories or kernel stable backport mapping.

Mitigation direction

  • Apply vendor Linux kernel updates containing the referenced stable fixes.
  • Verify distribution advisories for exact fixed package versions.
  • Restrict local shell or workload access on shared systems where patching is delayed.
  • Monitor kernel crash logs for ALSA OSS PCM NULL dereference indicators.

Validation and detection

  • Inventory Linux kernel versions across servers, workstations, and appliances.
  • Confirm whether ALSA OSS PCM compatibility is present and reachable locally.
  • Map installed kernels against vendor advisories and stable commit backports.
  • Prioritize shared multi-user systems and hosts running untrusted local workloads.
Prepared
Confidence
high
Sources
7

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-476: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2022-49733 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
4.7 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
4.7CVSS 3.1MediumCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H13.6CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

4.7Medium
CVSS 3.1 vector shape for CVE-2022-49733Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxe3a5d59a17e9a42e3f3e0e37342b2679bab2ff43, e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43, e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43, e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43, e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43unaffected
LinuxLinux2.6.20, 0, 5.4.215, 5.10.148, 5.15.68, 5.19.9, 6.0affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-476 · source CWE mapping

NULL Pointer Dereference

NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.