CVE-2022-48866: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-48866 is a vulnerability in the Linux kernel's HID Thrustmaster driver that was discovered and fixed in 2022. The issue involves an out-of-bounds (OOB) read in the thrustmaster_interrupts function. The vulnerability affects Linux kernel versions from 5.13 up to (excluding) 5.15.29 and versions from 5.16 up to (excluding) 5.16.15 (NVD).

The vulnerability stems from missing validation checks of the actual number of endpoints in the thrustmasterprobe() function. The code was blindly accessing the usbhost_interface::endpoint array without verifying if it contained enough endpoints, potentially leading to an out-of-bounds read condition. The issue was identified as CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.1 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) (NVD).

The vulnerability could allow an attacker with local access to cause an out-of-bounds read in the kernel's memory, potentially leading to information disclosure and system crashes. The CVSS score indicates high potential impact on confidentiality and availability, though no impact on integrity (NVD).

The issue was fixed by adding validation checks for the number of endpoints before accessing the endpoint array. The fix includes verifying that usbif->cur_altsetting->desc.bNumEndpoints is at least 2 before attempting to access the second endpoint, and returning with an error message if this condition is not met. The patch has been integrated into multiple kernel versions (Kernel Patch).