CVE-2022-49435 – A null pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2022-49435?

CVE-2022-49435 has a CVSS score of 5.5 (MEDIUM). A null pointer dereference vulnerability in the Linux kernel's davinci_voicecodec driver could cause kernel crashes or system instability when the driver attempts to access memory without proper validation. This affects Linux systems using the affected kernel versions with the davinci_voicecodec driver loaded. The vulnerability occurs during device probing when platform resources aren't properly checked before use.

📋 TL;DR

A null pointer dereference vulnerability in the Linux kernel's davinci_voicecodec driver could cause kernel crashes or system instability when the driver attempts to access memory without proper validation. This affects Linux systems using the affected kernel versions with the davinci_voicecodec driver loaded. The vulnerability occurs during device probing when platform resources aren't properly checked before use.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected kernel versions referenced in the CVE links; generally older versions before the fix was backported.

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if the davinci_voicecodec driver is compiled and loaded. Many distributions may not include this driver by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or system instability.

🟠

Likely Case

System crash or kernel panic when the vulnerable driver is loaded and platform_get_resource() returns NULL.

🟢

If Mitigated

No impact if the driver isn't loaded or the system has been patched.

🌐 Internet-Facing: LOW - Requires local access or kernel module loading capability.

🏢 Internal Only: MEDIUM - Could be exploited by local users or through other vulnerabilities to cause denial of service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to trigger the vulnerable code path, typically through local access or driver loading.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with the commits referenced in the CVE links

Vendor Advisory: https://git.kernel.org/stable/c/2d00158a06efe6bbcd020108634ea0f2ed8b32f7

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution vendor. 2. Reboot the system to load the new kernel.

🔧 Temporary Workarounds

Disable davinci_voicecodec driver

linux

Prevent loading of the vulnerable kernel module

echo 'blacklist davinci_voicecodec' >> /etc/modprobe.d/blacklist.conf
rmmod davinci_voicecodec

🧯 If You Can't Patch

Ensure the davinci_voicecodec driver is not loaded on affected systems
Restrict local user access and kernel module loading capabilities

🔍 How to Verify

Check if Vulnerable:

Check if davinci_voicecodec module is loaded: lsmod | grep davinci_voicecodec

Check Version:

uname -r

Verify Fix Applied:

Check kernel version against patched versions from distribution vendor

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
System crash logs
Driver loading failures

Network Indicators:

None - local vulnerability only

SIEM Query:

Search for kernel panic events or system crash reports

📊 Metadata

CVE ID: CVE-2022-49435

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.04% exploit probability (10.1th percentile)

Published: February 26, 2025

Last Updated: October 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49435, you might also want to check these: