CVE-2022-49288: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49288 is a vulnerability in the Linux kernel's ALSA (Advanced Linux Sound Architecture) PCM subsystem, discovered and disclosed in February 2025. The vulnerability stems from a lack of protection against concurrent PCM buffer preallocation changes via proc files, which could potentially lead to Use-After-Free (UAF) conditions or other memory-related issues. This vulnerability affects various versions of the Linux kernel (NVD).

The vulnerability exists in the PCM memory management component of the ALSA subsystem. The issue arises from unprotected concurrent access to PCM buffer preallocation changes through proc files. The CVSS v3.1 base score is 7.8 (HIGH), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-416 (Use After Free) (NVD, CISA-ADP).

The vulnerability could potentially lead to Use-After-Free conditions or other memory-related problems in the Linux kernel's sound subsystem. This could result in system instability, privilege escalation, or unauthorized access to kernel memory (Kernel Git).

The vulnerability has been patched by applying the PCM open_mutex to the proc write operation, which prevents racy proc writes and PCM stream open operations. The fix has been implemented across various kernel versions, including backports to older maintained versions. Users should update their Linux kernel to a patched version (Kernel Git).