CVE-2022-49733: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49733 affects the Linux kernel's ALSA (Advanced Linux Sound Architecture) PCM OSS (Open Sound System) subsystem. The vulnerability was discovered in 2022 and involves a race condition in the sndpcmosssync() function that is called from the OSS PCM SNDCTLDSP_SYNC ioctl. The issue affects Linux kernel versions from 5.5 through 5.10.148, 5.16 through 5.19.9, and 6.0 release candidates (NVD).

The vulnerability stems from a race condition in the sndpcmosssync() function. Specifically, the function calls sndpcmossmakeready() before acquiring the paramslock mutex. This creates a race window where if another thread sets up the stream between these operations, it can lead to inconsistency. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium), with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can result in unexpected behavior, including a NULL pointer dereference of the OSS buffer. This could potentially lead to system crashes or denial of service conditions (Kernel Patch).

The vulnerability has been fixed by modifying the sndpcmosssync() function to use sndpcmossmakereadylocked() variant, which ensures that the makeready operation is performed while holding the paramslock mutex. This fix has been implemented in various kernel versions through patches (Kernel Patch).