CVE-2022-48927: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-48927 affects the Linux kernel's Industrial I/O (IIO) ADC driver for the TI TSC2046 controller. The vulnerability was discovered when it was found that indiodev->numchannels includes all physical channels plus timestamp channel, while the array is allocated only for physical channels. This mismatch could lead to memory corruption through array overflow (Kernel Patch).

The vulnerability exists in the drivers/iio/adc/ti-tsc2046.c file where two instances of incorrect array bounds checking were identified. The code was using indiodev->numchannels and priv->dcfg->num_channels for iteration bounds, instead of the actual array size of priv->l. This could lead to out-of-bounds memory access and potential memory corruption. The issue has a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker with local access to cause memory corruption, potentially leading to system crashes, information disclosure, or privilege escalation. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (NVD).

The issue has been fixed by replacing the numchannels variable with ARRAYSIZE(priv->l) in the affected code sections. The fix was implemented in kernel versions 5.15.26 and 5.16.12. Users should upgrade to these or later versions to mitigate the vulnerability (Kernel Patch).