CVE-2022-49035: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49035 affects the Linux kernel's media subsystem, specifically the s5p_cec driver. The vulnerability was discovered in the message length handling of CEC (Consumer Electronics Control) messages. The issue was identified and patched in August 2022, with the fix being integrated into various Linux kernel versions (Kernel Commit).

The vulnerability exists in the s5p_cec driver where the message length (msg.len) is not properly validated against CEC_MAX_MSG_SIZE. The hardware is expected to limit the message length to 16 bytes, but there was no software check to ensure this limitation. This could potentially lead to buffer overflows if the hardware doesn't properly enforce the limit (Red Hat Portal). The CVSS v3.1 base score for this vulnerability is 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

The vulnerability primarily affects the availability of the system. According to the CVSS metrics, while there is no impact on confidentiality or integrity, there is a high impact on availability. This suggests that successful exploitation could lead to system disruption or denial of service conditions (Red Hat Portal).

A fix has been implemented that adds a check to limit msg.len to CEC_MAX_MSG_SIZE. The patch has been integrated into various Linux kernel versions. The fix involves adding two lines of code to validate and limit the message length if it exceeds the maximum allowed size (Kernel Commit).