CVE-2022-48628: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ceph: drop messages from MDS when unmounting When unmounting all the dirty buffers will be flushed and after the last osd request is finished the last reference of the i_count will be released. Then it will flush the dirty cap/snap to MDSs, and the unmounting won't wait the possible acks, which will ihold the inodes when updating the metadata locally but makes no sense any more, of this. This will make the evict_inodes() to skip these inodes. If encrypt is enabled the kernel generate a warning when removing the encrypt keys when the skipped inodes still hold the keyring: WARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0 CPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1 Hardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015 RIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0 RSP: 0018:ffffc9000b277e28 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00 RDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000 RBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000 R10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40 R13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000 FS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> generic_shutdown_super+0x47/0x120 kill_anon_super+0x14/0x30 ceph_kill_sb+0x36/0x90 [ceph] deactivate_locked_super+0x29/0x60 cleanup_mnt+0xb8/0x140 task_work_run+0x67/0xb0 exit_to_user_mode_prepare+0x23d/0x240 syscall_exit_to_user_mode+0x25/0x60 do_syscall_64+0x40/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fd83dc39e9b Later the kernel will crash when iput() the inodes and dereferencing the "sb->s_master_keys", which has been released by the generic_shutdown_super().
AI Analysis
Technical Summary
CVE-2022-48628 is a vulnerability identified in the Linux kernel specifically related to the Ceph filesystem's handling of metadata server (MDS) messages during unmount operations. The issue arises when unmounting a Ceph filesystem: all dirty buffers are flushed, and after the last object storage daemon (OSD) request completes, the last reference count of the inode (i_count) is released. Subsequently, the kernel flushes dirty capabilities and snapshots to the MDSs but does not wait for acknowledgments (acks) from the MDS. This behavior causes the eviction process (evict_inodes()) to skip certain inodes that still hold references, which is logically inconsistent since the unmount process should ensure all metadata updates are finalized. When filesystem encryption is enabled, this leads to a kernel warning triggered by the removal of encryption keys while skipped inodes still hold the keyring. The warning is logged in the kernel trace, indicating a potential use-after-free or dangling pointer scenario. The kernel eventually crashes during the iput() operation on these inodes when it dereferences the "sb->s_master_keys" pointer, which has already been released by the generic_shutdown_super() function. This sequence of events can cause a kernel panic or system crash, leading to denial of service (DoS). The vulnerability affects Linux kernel versions around 6.1.0-rc5 with Ceph support and encryption enabled. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The root cause is a race or logic flaw in the Ceph unmount path combined with filesystem encryption key management, resulting in unsafe memory access and system instability.
Potential Impact
For European organizations, especially those relying on Linux servers with Ceph distributed storage and filesystem encryption enabled, this vulnerability poses a significant risk of system crashes and denial of service. Ceph is widely used in cloud infrastructure, data centers, and enterprise storage solutions, including in sectors such as finance, telecommunications, research institutions, and public administration across Europe. A kernel panic triggered by this flaw could disrupt critical services, cause data unavailability, and require system reboots, impacting business continuity. Although there is no evidence of remote code execution or privilege escalation, the DoS impact on high-availability systems could be severe. Organizations using Ceph with encrypted filesystems must be particularly cautious, as the interaction between encryption key management and inode eviction is central to the vulnerability. The lack of requirement for user interaction or authentication to trigger the crash (assuming unmount operations are performed) increases the risk in multi-tenant or shared environments. Additionally, the complexity of the issue may delay detection and remediation, increasing exposure time.
Mitigation Recommendations
To mitigate CVE-2022-48628, European organizations should: 1) Apply the latest Linux kernel patches as soon as they become available from trusted sources, focusing on versions that address Ceph unmount and encryption key handling. 2) Temporarily avoid unmounting Ceph filesystems with encryption enabled during critical operational periods to reduce risk of triggering the crash. 3) Monitor kernel logs for warnings related to fscrypt_destroy_keyring and inode eviction anomalies to detect potential exploitation attempts or system instability. 4) Implement robust backup and recovery procedures for systems using Ceph to minimize downtime in case of crashes. 5) Consider disabling filesystem encryption on Ceph mounts if operationally feasible until a patch is applied, to prevent the keyring-related crash scenario. 6) Engage with Linux distribution vendors and Ceph maintainers to track patch releases and coordinate timely updates. 7) In virtualized or containerized environments, isolate Ceph storage nodes to limit blast radius of potential crashes. 8) Conduct thorough testing of kernel updates in staging environments replicating production Ceph configurations before deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-48628: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ceph: drop messages from MDS when unmounting When unmounting all the dirty buffers will be flushed and after the last osd request is finished the last reference of the i_count will be released. Then it will flush the dirty cap/snap to MDSs, and the unmounting won't wait the possible acks, which will ihold the inodes when updating the metadata locally but makes no sense any more, of this. This will make the evict_inodes() to skip these inodes. If encrypt is enabled the kernel generate a warning when removing the encrypt keys when the skipped inodes still hold the keyring: WARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0 CPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1 Hardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015 RIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0 RSP: 0018:ffffc9000b277e28 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00 RDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000 RBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000 R10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40 R13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000 FS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> generic_shutdown_super+0x47/0x120 kill_anon_super+0x14/0x30 ceph_kill_sb+0x36/0x90 [ceph] deactivate_locked_super+0x29/0x60 cleanup_mnt+0xb8/0x140 task_work_run+0x67/0xb0 exit_to_user_mode_prepare+0x23d/0x240 syscall_exit_to_user_mode+0x25/0x60 do_syscall_64+0x40/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fd83dc39e9b Later the kernel will crash when iput() the inodes and dereferencing the "sb->s_master_keys", which has been released by the generic_shutdown_super().
AI-Powered Analysis
Technical Analysis
CVE-2022-48628 is a vulnerability identified in the Linux kernel specifically related to the Ceph filesystem's handling of metadata server (MDS) messages during unmount operations. The issue arises when unmounting a Ceph filesystem: all dirty buffers are flushed, and after the last object storage daemon (OSD) request completes, the last reference count of the inode (i_count) is released. Subsequently, the kernel flushes dirty capabilities and snapshots to the MDSs but does not wait for acknowledgments (acks) from the MDS. This behavior causes the eviction process (evict_inodes()) to skip certain inodes that still hold references, which is logically inconsistent since the unmount process should ensure all metadata updates are finalized. When filesystem encryption is enabled, this leads to a kernel warning triggered by the removal of encryption keys while skipped inodes still hold the keyring. The warning is logged in the kernel trace, indicating a potential use-after-free or dangling pointer scenario. The kernel eventually crashes during the iput() operation on these inodes when it dereferences the "sb->s_master_keys" pointer, which has already been released by the generic_shutdown_super() function. This sequence of events can cause a kernel panic or system crash, leading to denial of service (DoS). The vulnerability affects Linux kernel versions around 6.1.0-rc5 with Ceph support and encryption enabled. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The root cause is a race or logic flaw in the Ceph unmount path combined with filesystem encryption key management, resulting in unsafe memory access and system instability.
Potential Impact
For European organizations, especially those relying on Linux servers with Ceph distributed storage and filesystem encryption enabled, this vulnerability poses a significant risk of system crashes and denial of service. Ceph is widely used in cloud infrastructure, data centers, and enterprise storage solutions, including in sectors such as finance, telecommunications, research institutions, and public administration across Europe. A kernel panic triggered by this flaw could disrupt critical services, cause data unavailability, and require system reboots, impacting business continuity. Although there is no evidence of remote code execution or privilege escalation, the DoS impact on high-availability systems could be severe. Organizations using Ceph with encrypted filesystems must be particularly cautious, as the interaction between encryption key management and inode eviction is central to the vulnerability. The lack of requirement for user interaction or authentication to trigger the crash (assuming unmount operations are performed) increases the risk in multi-tenant or shared environments. Additionally, the complexity of the issue may delay detection and remediation, increasing exposure time.
Mitigation Recommendations
To mitigate CVE-2022-48628, European organizations should: 1) Apply the latest Linux kernel patches as soon as they become available from trusted sources, focusing on versions that address Ceph unmount and encryption key handling. 2) Temporarily avoid unmounting Ceph filesystems with encryption enabled during critical operational periods to reduce risk of triggering the crash. 3) Monitor kernel logs for warnings related to fscrypt_destroy_keyring and inode eviction anomalies to detect potential exploitation attempts or system instability. 4) Implement robust backup and recovery procedures for systems using Ceph to minimize downtime in case of crashes. 5) Consider disabling filesystem encryption on Ceph mounts if operationally feasible until a patch is applied, to prevent the keyring-related crash scenario. 6) Engage with Linux distribution vendors and Ceph maintainers to track patch releases and coordinate timely updates. 7) In virtualized or containerized environments, isolate Ceph storage nodes to limit blast radius of potential crashes. 8) Conduct thorough testing of kernel updates in staging environments replicating production Ceph configurations before deployment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:44:28.314Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5ce6
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 5:41:40 PM
Last updated: 8/11/2025, 12:41:26 AM
Views: 13
Related Threats
CVE-2025-8975: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-55716: CWE-862 Missing Authorization in VeronaLabs WP Statistics
MediumCVE-2025-55714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crocoblock JetElements For Elementor
MediumCVE-2025-55713: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CreativeThemes Blocksy
MediumCVE-2025-55712: CWE-862 Missing Authorization in POSIMYTH The Plus Addons for Elementor Page Builder Lite
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.