CVE-2022-49335: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49335 is a vulnerability in the Linux kernel's AMD GPU driver that was discovered and disclosed in February 2025. The vulnerability affects the command submission (CS) handling in the AMDGPU driver, specifically when processing commands with zero chunks. This issue affects multiple versions of the Linux kernel, from version 4.20 through 5.18.3 (NVD).

The vulnerability is a NULL pointer dereference issue in the AMDGPU driver's command submission processing. When a CS (Command Submission) with 0 chunks is submitted, it triggers a kernel NULL pointer dereference at address 0x1d8, causing a kernel oops. The issue was discovered when attempting to execute with an incorrect userspace driver configuration using MESA_LOADER_DRIVER_OVERRIDE=v3d. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a kernel NULL pointer dereference, resulting in a system crash or denial of service condition. The impact is limited to availability, with no direct impact on confidentiality or integrity of the system (NVD).

The issue has been fixed by modifying the AMDGPU driver to make commands with 0 chunks illegal, returning -EINVAL instead of allowing the operation to proceed. The fix has been implemented through a series of patches across different kernel versions (Kernel Git).