CVE-2022-48651: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following: ================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers() 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use "skb->head + skb->mac_header", out-of-bound access occurs. This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug.
AI Analysis
Technical Summary
CVE-2022-48651 is a high-severity vulnerability in the Linux kernel's ipvlan network driver, specifically related to the handling of the mac_header field in socket buffers (skb) when using AF_PACKET sockets with the PACKET_QDISC_BYPASS option. The issue arises because when an AF_PACKET socket is configured to send packets through ipvlan and the transmit function is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt(), the skb->mac_header field may not be properly reset. Instead, it retains an invalid initial value of 65535. This leads to an out-of-bounds memory access when the ipvlan_xmit_mode_l2() function attempts to access the MAC header using eth_hdr(), which calculates the header pointer as skb->head + skb->mac_header. Since skb->mac_header is invalid, this results in a slab-out-of-bounds bug, potentially causing kernel memory corruption or crashes. The root cause is twofold: first, packet_snd() only resets skb->mac_header when the socket type is SOCK_RAW and the protocol is unspecified, which is not the case here; second, packet_direct_xmit() does not reset skb->mac_header, unlike dev_queue_xmit(). The vulnerability was fixed by replacing eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2(), which safely handles the MAC header, and by resetting the mac_header in multicast scenarios to prevent out-of-bounds access. This vulnerability is classified under CWE-125 (Out-of-bounds Read) and has a CVSS 3.1 base score of 7.7, indicating high severity. It requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The impact affects integrity and availability but not confidentiality. No known exploits are reported in the wild as of the published date. The affected versions include specific Linux kernel commits prior to the patch. This vulnerability is particularly relevant for environments using ipvlan interfaces with AF_PACKET sockets configured with PACKET_QDISC_BYPASS, which may be common in advanced networking setups, containerized environments, or virtualized infrastructure relying on Linux kernel networking features.
Potential Impact
For European organizations, the impact of CVE-2022-48651 can be significant in environments where Linux servers are used with ipvlan networking, especially in data centers, cloud providers, and enterprises leveraging container orchestration platforms like Kubernetes that may use ipvlan for network virtualization. The out-of-bounds memory access can lead to kernel crashes (denial of service) or potentially allow an attacker to corrupt kernel memory, impacting system integrity and availability. Although the vulnerability does not directly expose confidentiality breaches, the resulting instability can disrupt critical services. Given the prevalence of Linux in European IT infrastructure, including government, finance, telecommunications, and manufacturing sectors, exploitation could cause service outages or require emergency patching, impacting business continuity. The requirement for local access limits remote exploitation but insider threats or compromised internal hosts could leverage this vulnerability to escalate attacks or disrupt operations. Additionally, virtualized and containerized environments common in European cloud deployments may be particularly exposed if they use the affected ipvlan configurations.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-48651 as soon as possible. Ensure that all Linux systems, especially those running kernel versions prior to the fix, are updated. 2. Audit network configurations to identify use of ipvlan interfaces combined with AF_PACKET sockets using PACKET_QDISC_BYPASS. Where possible, avoid or restrict the use of PACKET_QDISC_BYPASS to trusted applications. 3. Implement strict access controls and monitoring on systems that allow local socket operations to limit potential exploitation by unprivileged users. 4. Use kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues early. 5. For containerized environments, ensure container runtimes and orchestration platforms are updated and configured to minimize exposure to vulnerable kernel features. 6. Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to ipvlan networking. 7. Employ network segmentation and least privilege principles to reduce the risk of local attackers gaining access to vulnerable systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48651: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following: ================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers() 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use "skb->head + skb->mac_header", out-of-bound access occurs. This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug.
AI-Powered Analysis
Technical Analysis
CVE-2022-48651 is a high-severity vulnerability in the Linux kernel's ipvlan network driver, specifically related to the handling of the mac_header field in socket buffers (skb) when using AF_PACKET sockets with the PACKET_QDISC_BYPASS option. The issue arises because when an AF_PACKET socket is configured to send packets through ipvlan and the transmit function is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt(), the skb->mac_header field may not be properly reset. Instead, it retains an invalid initial value of 65535. This leads to an out-of-bounds memory access when the ipvlan_xmit_mode_l2() function attempts to access the MAC header using eth_hdr(), which calculates the header pointer as skb->head + skb->mac_header. Since skb->mac_header is invalid, this results in a slab-out-of-bounds bug, potentially causing kernel memory corruption or crashes. The root cause is twofold: first, packet_snd() only resets skb->mac_header when the socket type is SOCK_RAW and the protocol is unspecified, which is not the case here; second, packet_direct_xmit() does not reset skb->mac_header, unlike dev_queue_xmit(). The vulnerability was fixed by replacing eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2(), which safely handles the MAC header, and by resetting the mac_header in multicast scenarios to prevent out-of-bounds access. This vulnerability is classified under CWE-125 (Out-of-bounds Read) and has a CVSS 3.1 base score of 7.7, indicating high severity. It requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The impact affects integrity and availability but not confidentiality. No known exploits are reported in the wild as of the published date. The affected versions include specific Linux kernel commits prior to the patch. This vulnerability is particularly relevant for environments using ipvlan interfaces with AF_PACKET sockets configured with PACKET_QDISC_BYPASS, which may be common in advanced networking setups, containerized environments, or virtualized infrastructure relying on Linux kernel networking features.
Potential Impact
For European organizations, the impact of CVE-2022-48651 can be significant in environments where Linux servers are used with ipvlan networking, especially in data centers, cloud providers, and enterprises leveraging container orchestration platforms like Kubernetes that may use ipvlan for network virtualization. The out-of-bounds memory access can lead to kernel crashes (denial of service) or potentially allow an attacker to corrupt kernel memory, impacting system integrity and availability. Although the vulnerability does not directly expose confidentiality breaches, the resulting instability can disrupt critical services. Given the prevalence of Linux in European IT infrastructure, including government, finance, telecommunications, and manufacturing sectors, exploitation could cause service outages or require emergency patching, impacting business continuity. The requirement for local access limits remote exploitation but insider threats or compromised internal hosts could leverage this vulnerability to escalate attacks or disrupt operations. Additionally, virtualized and containerized environments common in European cloud deployments may be particularly exposed if they use the affected ipvlan configurations.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-48651 as soon as possible. Ensure that all Linux systems, especially those running kernel versions prior to the fix, are updated. 2. Audit network configurations to identify use of ipvlan interfaces combined with AF_PACKET sockets using PACKET_QDISC_BYPASS. Where possible, avoid or restrict the use of PACKET_QDISC_BYPASS to trusted applications. 3. Implement strict access controls and monitoring on systems that allow local socket operations to limit potential exploitation by unprivileged users. 4. Use kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues early. 5. For containerized environments, ensure container runtimes and orchestration platforms are updated and configured to minimize exposure to vulnerable kernel features. 6. Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to ipvlan networking. 7. Employ network segmentation and least privilege principles to reduce the risk of local attackers gaining access to vulnerable systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:44:28.317Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5db3
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 7/3/2025, 3:10:50 AM
Last updated: 7/30/2025, 3:21:00 AM
Views: 9
Related Threats
CVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumPlex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.