CVE-2022-1462: 
Linux Kernel vulnerability analysis and mitigation

An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem (CVE-2022-1462). The vulnerability was discovered in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flushtoldisc function. This vulnerability affects Linux kernel systems and was disclosed in June 2022 (NVD, Debian).

The vulnerability stems from a race condition in the ttybuffers.c file where ttyflipbufferpush() writes to critical resources buf->tail->commit without proper synchronization. This can cause the value of buf->tail->commit to become less than expected, leading to an out-of-bounds read in the flushtoldisc function. The vulnerability has a CVSS v3.1 Base Score of 6.3 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD, OSS-SEC).

This flaw allows a local user to crash the system or read unauthorized random data from memory. The vulnerability can lead to information disclosure and system instability through out-of-bounds read operations (NVD, Red Hat).

The issue has been fixed in various Linux distributions through security updates. Debian has addressed this in version 4.19.260-1 for Debian 10 (buster), and Red Hat has released patches for Enterprise Linux 8 and 9. The recommended mitigation is to update the kernel to a patched version (Debian LTS, Red Hat).