CVE-2022-49733 is a race condition vulnerability identified in the Linux kernel's ALSA (Advanced Linux Sound Architecture) subsystem, specifically within the OSS (Open Sound System) PCM (Pulse Code Modulation) interface. The vulnerability arises in the snd_pcm_oss_sync() function, which is invoked via the OSS PCM ioctl command SNDCTL_DSP_SYNC. The issue is due to a small race window between the call to snd_pcm_oss_make_ready() and the subsequent acquisition of the params_lock mutex. During this window, if another thread reconfigures the audio stream, it can cause inconsistent internal state, potentially leading to a NULL pointer dereference of the OSS buffer. This can result in unexpected behavior such as kernel crashes or denial of service. The root cause is a lack of proper synchronization around the snd_pcm_oss_make_ready() call. The fix implemented involves moving the snd_pcm_oss_make_ready() call inside the params_lock mutex by using the snd_pcm_oss_make_ready_locked() variant, thereby eliminating the race condition. This vulnerability affects Linux kernel versions identified by the given commit hashes, and while no known exploits are reported in the wild, the issue was detected by fuzz testing. The vulnerability does not have an assigned CVSS score but is publicly disclosed and patched.

For European organizations, the impact of this vulnerability primarily concerns systems running Linux kernels with the affected ALSA OSS PCM interface, which is common in many Linux distributions used in enterprise, government, and industrial environments. Exploitation could lead to kernel crashes causing denial of service on critical systems, potentially disrupting services reliant on audio processing or other kernel functions. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting instability could be leveraged in multi-stage attacks or cause operational downtime. Organizations using Linux-based servers, embedded devices, or workstations with ALSA OSS enabled should be aware of potential service interruptions. The impact is more pronounced in environments where high availability is critical, such as telecommunications, media production, or industrial control systems. Since no known exploits exist, the immediate risk is moderate, but unpatched systems remain vulnerable to potential future exploit development.

European organizations should promptly apply the Linux kernel patches that address this race condition, ensuring that the snd_pcm_oss_make_ready() call is properly synchronized within the params_lock mutex. Specifically, update to the latest stable Linux kernel versions that include the fix or backport the patch if using long-term support kernels. Additionally, organizations should audit their systems to identify any usage of the OSS PCM interface in ALSA and consider disabling OSS compatibility layers if not required, reducing the attack surface. Implementing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enabling kernel lockdown modes can further mitigate exploitation risks. Continuous monitoring of kernel logs for anomalies related to ALSA or OSS PCM operations can help detect attempts to trigger this race condition. Finally, maintain a robust patch management process to ensure timely updates of Linux kernels across all affected systems.