{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts",
    "id" : "2298640",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2298640"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nHID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts\nSyzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug.\nThe root case is in missing validation check of actual number of endpoints.\nCode should not blindly access usb_host_interface::endpoint array, since\nit may contain less endpoints than code expects.\nFix it by adding missing validaion check and print an error if\nnumber of endpoints do not match expected number", "A vulnerability was found in the thrustmaster_interrupts function in the Linux kernel's HID Thrustmaster driver. This issue arises from a lack of validation for the actual number of endpoints, leading to a slab-out-of-bounds read when the code accesses the endpoint array." ],
  "statement" : "Red Hat Enterprise Linux version 9.1 and greater include the relevant patch (fc3ef2e3297b) and are therefore unaffected.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7001",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7000",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.22.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-48866\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48866\nhttps://lore.kernel.org/linux-cve-announce/2024071629-CVE-2022-48866-93bd@gregkh/T" ],
  "name" : "CVE-2022-48866",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}