{"id":"CVE-2022-49937","summary":"media: mceusb: Use new usb_control_msg_*() routines","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mceusb: Use new usb_control_msg_*() routines\n\nAutomatic kernel fuzzing led to a WARN about invalid pipe direction in\nthe mceusb driver:\n\n------------[ cut here ]------------\nusb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40\nWARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410\nusb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410\nModules linked in:\nCPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410\nCode: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8\n44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 \u003c0f\u003e 0b\ne9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41\nRSP: 0018:ffffc900032becf0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000\nRDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90\nRBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000\nR10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000\nR13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500\nFS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0\nCall Trace:\n\u003cTASK\u003e\nusb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58\nusb_internal_control_msg drivers/usb/core/message.c:102 [inline]\nusb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153\nmceusb_gen1_init drivers/media/rc/mceusb.c:1431 [inline]\nmceusb_dev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807\n\nThe reason for the warning is clear enough; the driver sends an\nunusual read request on endpoint 0 but does not set the USB_DIR_IN bit\nin the bRequestType field.\n\nMore importantly, the whole situation can be avoided and the driver\nsimplified by converting it over to the relatively new\nusb_control_msg_recv() and usb_control_msg_send() routines.  That's\nwhat this fix does.","modified":"2026-04-03T13:14:27.159376369Z","published":"2025-06-18T10:54:38.812Z","related":["SUSE-SU-2025:02264-1","SUSE-SU-2025:02308-1","SUSE-SU-2025:02312-1","SUSE-SU-2025:02320-1","SUSE-SU-2025:02321-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:02334-1","SUSE-SU-2025:02537-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49937.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/587f793c64d99d92be8ef01c4c69d885a3f2edb6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/608e58a0f4617977178131f5f68a3fce1d3f5316"},{"type":"WEB","url":"https://git.kernel.org/stable/c/75913c562f5ba4cf397d835c63f443879167c6f6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d69c738ac9310b56e84c51c8f09fc018a8291bc6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49937.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49937"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"66e89522aff70fb2701ba8f6845fdcd365dd2ade"},{"fixed":"587f793c64d99d92be8ef01c4c69d885a3f2edb6"},{"fixed":"75913c562f5ba4cf397d835c63f443879167c6f6"},{"fixed":"d69c738ac9310b56e84c51c8f09fc018a8291bc6"},{"fixed":"608e58a0f4617977178131f5f68a3fce1d3f5316"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49937.json"}}],"schema_version":"1.7.5"}