CVE-2022-49289: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-49289 is a vulnerability in the Linux kernel affecting the user access (uaccess) functionality. The vulnerability was discovered in February 2025 and involves an integer overflow issue in the access_ok() function. Three architectures (CSKY, Hexagon, and Microblaze) were found to check the end of a user access against the address limit without properly accounting for potential integer overflows (Kernel Git).

The vulnerability exists in the access_ok() implementation where three architectures incorrectly validate user memory access boundaries. When checking against the address limit, these implementations fail to account for integer overflows that could occur during address calculations. Specifically, passing a negative length or triggering another overflow condition would incorrectly return success when it should have failed. The issue affects the CSKY, Hexagon, and Microblaze architectures in the Linux kernel (Kernel Git).

When exploited, this vulnerability could allow an attacker to bypass memory access restrictions. By manipulating the size parameter to cause an integer overflow, the access_ok() function would incorrectly validate memory accesses, potentially leading to unauthorized access to kernel memory regions (NVD).

The vulnerability has been patched by implementing a more secure access_ok() function that properly handles integer overflows. The fix implements the most common correct implementation that optimizes for constant 'size' arguments and turns the common case into a single comparison. The patch has been applied to the affected architectures (Kernel Git).