CVE-2022-49733

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-49733

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49733.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-49733

Downstream

DEBIAN-CVE-2022-49733

SUSE-SU-2025:0983-1

SUSE-SU-2025:1027-1

SUSE-SU-2025:1176-1

SUSE-SU-2025:1183-1

SUSE-SU-2025:1194-1

SUSE-SU-2025:1241-1

SUSE-SU-2025:1263-1

SUSE-SU-2025:1293-1

UBUNTU-CVE-2022-49733

Related

Published

2025-03-02T15:15:11Z

Modified

2025-10-01T20:17:09Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: pcm: oss: Fix race at SNDCTLDSPSYNC

There is a small race window at sndpcmosssync() that is called from OSS PCM SNDCTLDSPSYNC ioctl; namely the function calls sndpcmossmakeready() at first, then takes the paramslock mutex for the rest. When the stream is set up again by another thread between them, it leads to inconsistency, and may result in unexpected results such as NULL dereference of OSS buffer as a fuzzer spotted recently.

The fix is simply to cover sndpcmossmakeready() call into the same paramslock mutex with sndpcmossmakereadylocked() variant.

References

Affected packages