CVE-2022-49145 is a vulnerability identified in the Linux kernel's ACPI (Advanced Configuration and Power Interface) subsystem, specifically within the CPPC (Collaborative Processor Performance Control) component. The issue arises when parsing the _CPC (Collaborative Processor Performance Control) ACPI method's return package. The vulnerability occurs because the kernel code attempts to access the "Revision" element of the _CPC package without verifying that the NumEntries field indicates its presence. If NumEntries is less than 2, the "Revision" element may not exist, leading to an out-of-bounds memory access. This can cause undefined behavior such as kernel crashes or potential memory corruption. The flaw is a logic error in bounds checking during ACPI data parsing, which is critical as ACPI is responsible for hardware configuration and power management. The vulnerability was addressed by adding a check to ensure that if NumEntries is less than 2, the kernel does not attempt to access the "Revision" element, thus preventing out-of-bounds access. This fix mitigates the risk of kernel instability or exploitation through malformed ACPI tables. There are no known exploits in the wild for this vulnerability, and it affects Linux kernel versions identified by the commit hash 337aadff8e4567e39669e07d9a88b789d78458b5 and similar. The vulnerability does not have an assigned CVSS score, and no patch links are provided in the data, but the kernel mailing list reference indicates the fix was committed. This vulnerability is primarily a stability and potential security risk in systems running vulnerable Linux kernels with ACPI CPPC support enabled.

For European organizations, the impact of CVE-2022-49145 depends largely on their use of Linux-based systems, especially those relying on ACPI CPPC features, such as servers, desktops, and embedded devices. An out-of-bounds access in kernel space can lead to system crashes (denial of service), which could disrupt critical business operations, particularly in sectors like finance, manufacturing, and telecommunications where Linux servers are prevalent. Although no known exploits exist, the vulnerability could be leveraged by a local attacker or malicious software to destabilize systems or potentially escalate privileges if combined with other vulnerabilities. The risk is higher in environments where untrusted or malformed ACPI tables might be introduced, such as virtualized environments or systems with custom firmware. Given the widespread use of Linux in European IT infrastructure, failure to patch this vulnerability could expose organizations to unexpected downtime and potential security breaches, impacting confidentiality, integrity, and availability of systems.

European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2022-49145. Since the vulnerability relates to ACPI CPPC parsing, organizations should: 1) Apply official kernel patches or upgrade to the latest stable kernel releases that address this issue. 2) Audit and verify firmware and ACPI tables on hardware to ensure they conform to specifications and do not contain malformed _CPC data. 3) In virtualized environments, ensure hypervisors and virtual machine firmware do not expose malformed ACPI data to guest systems. 4) Implement kernel hardening measures such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation risk. 5) Monitor system logs for ACPI-related errors or kernel oops messages that may indicate attempts to trigger this vulnerability. 6) Restrict local access to trusted users only, as exploitation would likely require local code execution or access to malformed ACPI data. These targeted steps go beyond generic patching by focusing on the ACPI data integrity and system hardening relevant to this vulnerability.