CVE-2022-49273: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49273 is a vulnerability in the Linux kernel's RTC (Real-Time Clock) PL031 driver. The issue was discovered and resolved in February 2025. The vulnerability affects the rtc-pl031 driver when there is no interrupt line available, causing a null pointer dereference in the RTC alarm feature handling (NVD, Debian Tracker).

The vulnerability occurs in the PL031 RTC driver when the alarm feature is disabled due to the absence of an interrupt line. The issue stems from improper timing in clearing the alarm feature bit, which was being performed before the allocation of the ldata->rtc device. This sequence resulted in a null pointer dereference. The fix involves moving the clearing of the RTCFEATUREALARM bit to occur after the rtc device is allocated (Kernel Commit). According to Red Hat's assessment, this vulnerability has a CVSS v3.1 base score of 5.5 with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability can lead to a system crash through a null pointer dereference when the RTC alarm feature is disabled due to a missing interrupt line. This primarily affects system stability and availability, with no direct impact on confidentiality or integrity (Red Hat).

The issue has been fixed in the Linux kernel through a patch that corrects the timing of the RTCFEATUREALARM bit clearing operation. The fix has been backported to various stable kernel versions and is available in updated distributions. Debian has marked this as fixed in multiple versions including bullseye (5.10.234-1), bookworm (6.1.129-1), and sid/trixie (6.12.17-1) (Debian Tracker).