CVE-2022-49165 is a vulnerability identified in the Linux kernel's media subsystem, specifically within the imx-jpeg driver responsible for handling JPEG image decoding on certain i.MX platforms. The flaw arises when an application queues an NV12M (multi-planar) JPEG as an output buffer but subsequently queues a single-planar capture buffer. This mismatch leads to a kernel crash due to a NULL pointer dereference in the function mxc_jpeg_addrs. Essentially, the driver fails to properly validate or handle the buffer format transition, causing the kernel to attempt to access invalid memory. The vulnerability results in a denial-of-service (DoS) condition by crashing the kernel, which can disrupt system availability. The patch for this issue involves adding logic to detect this buffer format inconsistency and terminating the job with an error instead of proceeding to the faulty memory access. The vulnerability affects Linux kernel versions containing the specified commit hashes, which correspond to versions prior to the fix. There are no known exploits in the wild, and no CVSS score has been assigned yet. The vulnerability requires that an application interacts with the imx-jpeg driver and queues buffers in a specific erroneous sequence, implying some level of user or application interaction is necessary. However, exploitation does not require elevated privileges beyond what is needed to access the media driver interface.

For European organizations, the primary impact of CVE-2022-49165 is a potential denial-of-service condition on Linux systems running affected kernel versions with the imx-jpeg driver enabled. This could lead to system instability or crashes, particularly in embedded or industrial devices using i.MX processors for media processing tasks, such as video surveillance systems, multimedia appliances, or IoT devices. Disruption of these systems could affect operational continuity, especially in sectors relying on real-time media processing like manufacturing, transportation, or security. While the vulnerability does not directly lead to privilege escalation or data leakage, repeated crashes could be exploited to cause persistent downtime or trigger failover mechanisms, impacting availability. Since the vulnerability requires specific buffer queuing sequences, accidental crashes are possible but targeted exploitation would require crafted inputs or malicious applications. European organizations with embedded Linux devices or custom Linux distributions incorporating the affected driver should be vigilant. The impact is less severe for general-purpose Linux servers or desktops unless they specifically use the affected media driver.

To mitigate CVE-2022-49165, organizations should apply the official Linux kernel patches that address the buffer handling logic in the imx-jpeg driver as soon as they become available. For embedded systems, ensure that the device firmware or kernel is updated to a version including the fix. Additionally, restrict access to the media device interfaces to trusted applications only, minimizing the risk of malicious or malformed buffer queuing. Implement application-level validation to prevent queuing incompatible buffer formats. Monitoring kernel logs for repeated crashes related to mxc_jpeg_addrs can help detect attempted exploitation or misconfigurations. For systems where immediate patching is not feasible, consider disabling the imx-jpeg driver if it is not required, or isolating affected devices from critical networks to reduce impact. Finally, maintain an inventory of devices using i.MX processors and the affected Linux kernel versions to prioritize patching and risk assessment.