CVE-2022-49031: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49031 is a vulnerability in the Linux kernel affecting the Industrial I/O (IIO) health subsystem, specifically in the afe4403 driver. The vulnerability was discovered in October 2024 and involves an out-of-bounds read issue in the afe4403_read_raw function (NVD). The vulnerability affects multiple versions of the Linux kernel from 4.8 through 6.1-rc6.

The vulnerability is caused by an array size mismatch in the afe4403_channel_leds array, which is smaller than the number of channels. This leads to an out-of-bounds read when accessing the array with chan->address in the afe4403_read_raw function. The issue can be triggered by reading from the sysfs interface using the command: cat /sys/bus/spi/devices/spi0.0/iio:device0/in_intensity6_raw. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

The vulnerability allows an attacker with local access to cause an out-of-bounds read, potentially leading to information disclosure and system crashes. The KASAN (Kernel Address Sanitizer) report indicates unauthorized memory access, which could expose sensitive kernel information (NVD).

The vulnerability has been fixed by modifying the code to check array access boundaries before use. The fix involves moving the array access operations before their usage in the afe4403_read_raw function. Multiple Linux distributions have released patches to address this vulnerability (Kernel Patch).