CVE-2022-49245 is a vulnerability found in the Linux kernel specifically related to the Audio Subsystem on Chip (ASoC) driver for Rockchip devices, which handle the Inter-IC Sound (I2S) Time-Division Multiplexing (TDM) interface. The issue arises from improper management of the power management (PM) runtime usage counter in the function rockchip_i2s_tdm_resume. The original implementation used pm_runtime_get_sync to increment the PM usage counter even when the operation failed, but it neglected to decrement or balance the counter in such failure cases. This led to a reference leak where the usage counter could become unbalanced, potentially causing the device to remain in an unintended power state or preventing proper power management transitions. The fix replaces pm_runtime_get_sync with pm_runtime_resume_and_get, which ensures the usage counter is correctly incremented only when the resume operation succeeds, maintaining proper reference counting and preventing leaks. Although the vulnerability does not appear to have known exploits in the wild, the improper power management can lead to resource leaks, degraded system stability, or denial of service conditions on affected devices. The vulnerability affects specific versions of the Linux kernel incorporating the Rockchip ASoC driver, which is commonly used in embedded systems and devices based on Rockchip SoCs, such as certain ARM-based single-board computers, tablets, and IoT devices. No CVSS score has been assigned to this vulnerability yet.

For European organizations, the impact of CVE-2022-49245 depends largely on their use of Linux-based systems running on Rockchip hardware. Organizations deploying embedded Linux devices, industrial control systems, or IoT infrastructure using Rockchip SoCs could experience degraded device performance or unexpected power management behavior. This could lead to increased power consumption, reduced device lifespan, or system instability. In critical environments such as manufacturing, healthcare, or telecommunications, such instability could cause operational disruptions or downtime. While the vulnerability does not directly enable remote code execution or privilege escalation, the resulting denial of service or device malfunction could indirectly impact availability and reliability of services. Given the growing adoption of embedded Linux devices in European industries, failure to patch this vulnerability could expose organizations to avoidable operational risks.

To mitigate CVE-2022-49245, European organizations should: 1) Identify all Linux systems running Rockchip-based hardware, particularly those using the affected ASoC drivers. 2) Apply the vendor-provided patches or update to a Linux kernel version that includes the fix replacing pm_runtime_get_sync with pm_runtime_resume_and_get in the rockchip_i2s_tdm_resume function. 3) For embedded devices where kernel upgrades are challenging, consider vendor firmware updates or consult device manufacturers for patched releases. 4) Implement monitoring of device power states and system logs to detect abnormal power management behavior that could indicate the vulnerability is being triggered. 5) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation. 6) Test patches in staging environments to verify stability and power management behavior before deployment in production. 7) Limit exposure of affected devices to untrusted networks to reduce risk of exploitation attempts, even though no exploits are currently known.