CVE-2022-48866
📋 TL;DR
This vulnerability allows an attacker to trigger an out-of-bounds read in the Linux kernel's HID thrustmaster driver when a malicious USB device is connected. It affects Linux systems using the hid-thrustmaster driver, potentially leading to kernel crashes or information disclosure. The issue occurs due to missing validation of USB endpoint counts.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, potential information disclosure from kernel memory, or local privilege escalation if combined with other vulnerabilities.
Likely Case
System crash or kernel panic when a malicious USB device is connected, requiring physical access to trigger.
If Mitigated
No impact if patched or if the vulnerable driver is not loaded.
🎯 Exploit Status
Exploitation requires physical USB device connection or USB device emulation. Syzbot discovered the issue through fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 3ffbe85cda7f523dad896bae08cecd8db8b555ab or later
Vendor Advisory: https://git.kernel.org/stable/c/3ffbe85cda7f523dad896bae08cecd8db8b555ab
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. For custom kernels, apply the fix commit. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Blacklist hid-thrustmaster driver
linuxPrevent loading of the vulnerable driver module
echo 'blacklist hid-thrustmaster' >> /etc/modprobe.d/blacklist.conf
update-initramfs -u
Disable USB device support
linuxDisable USB HID support if not needed
echo 'install hid-thrustmaster /bin/false' >> /etc/modprobe.d/disable.conf
🧯 If You Can't Patch
- Restrict physical USB port access to trusted personnel only
- Disable USB device sharing/redirection features
🔍 How to Verify
Check if Vulnerable:
Check if hid-thrustmaster module is loaded: lsmod | grep thrustmasterCheck Version:
uname -rVerify Fix Applied:
Check kernel version against patched versions from your distribution, or verify the fix commit is present in kernel source📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- OOB read errors in kernel logs
- USB device connection failures
Network Indicators:
- USB over IP connections to vulnerable systems
SIEM Query:
source="kernel" AND ("thrustmaster" OR "OOB" OR "out of bounds")🔗 References
- https://git.kernel.org/stable/c/3ffbe85cda7f523dad896bae08cecd8db8b555ab
- https://git.kernel.org/stable/c/56185434e1e50acecee56d8f5850135009b87947
- https://git.kernel.org/stable/c/fc3ef2e3297b3c0e2006b5d7b3d66965e3392036
- https://git.kernel.org/stable/c/3ffbe85cda7f523dad896bae08cecd8db8b555ab
- https://git.kernel.org/stable/c/56185434e1e50acecee56d8f5850135009b87947
- https://git.kernel.org/stable/c/fc3ef2e3297b3c0e2006b5d7b3d66965e3392036
