CVE-2022-49733: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
There is a small race window at snd_pcm_oss_sync() that is called from
OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls
snd_pcm_oss_make_ready() at first, then takes the params_lock mutex
for the rest. When the stream is set up again by another thread
between them, it leads to inconsistency, and may result in unexpected
results such as NULL dereference of OSS buffer as a fuzzer spotted
recently.
The fix is simply to cover snd_pcm_oss_make_ready() call into the same
params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
CVE-2022-49733 is a Linux kernel ALSA OSS audio compatibility bug. A local, low-privileged user could trigger a race during audio sync handling, potentially crashing the system. It is not remotely reachable, requires timing, and the bundle does not show known active exploitation.
Executive priority
Treat as a moderate availability risk. It is not a remote compromise path, but a local crash primitive can still matter on shared Linux hosts, developer workstations, and multi-tenant workload environments.
Technical view
The flaw is a race in snd_pcm_oss_sync() for the SNDCTL_DSP_SYNC ioctl. snd_pcm_oss_make_ready() ran before params_lock, allowing another thread to reconfigure the stream and create inconsistent state, including possible NULL dereference of the OSS buffer. The fix moves readiness handling under the same mutex.
Likely exposure
Exposure is mainly Linux systems with vulnerable kernels and ALSA OSS PCM compatibility reachable by local users or local workloads. Systems without local untrusted users are lower risk. Distribution-specific package status must be verified separately.
Exploitation context
The CVSS vector is local, high complexity, low privilege, no user interaction, with high availability impact. The source bundle says a fuzzer observed the issue. KEV is false, and no cited source states active exploitation.
Researcher notes
Evidence supports a concurrency bug fixed by locking around OSS PCM readiness handling. Affected version data in the bundle is sparse and commit-oriented, so exact exposure should be resolved through distro kernel advisories or kernel stable backport mapping.
Mitigation direction
Apply vendor Linux kernel updates containing the referenced stable fixes.
Verify distribution advisories for exact fixed package versions.
Restrict local shell or workload access on shared systems where patching is delayed.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-476: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-476 · source CWE mapping
NULL Pointer Dereference
NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.