CVE-2022-48673: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/smc: Fix possible access to freed memory in link clear After modifying the QP to the Error state, all RX WR would be completed with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not wait for it is done, but destroy the QP and free the link group directly. So there is a risk that accessing the freed memory in tasklet context. Here is a crash example: BUG: unable to handle page fault for address: ffffffff8f220860 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 Oops: 0002 [#1] SMP PTI CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23 Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018 RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0 Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> _raw_spin_lock_irqsave+0x30/0x40 mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib] smc_wr_rx_tasklet_fn+0x56/0xa0 [smc] tasklet_action_common.isra.21+0x66/0x100 __do_softirq+0xd5/0x29c asm_call_irq_on_stack+0x12/0x20 </IRQ> do_softirq_own_stack+0x37/0x40 irq_exit_rcu+0x9d/0xa0 sysvec_call_function_single+0x34/0x80 asm_sysvec_call_function_single+0x12/0x20
AI Analysis
Technical Summary
CVE-2022-48673 is a vulnerability identified in the Linux kernel, specifically within the Subnet Management Channel (SMC) networking code. The flaw arises from improper handling of memory during the transition of a Queue Pair (QP) to the Error state in the InfiniBand (IB) networking stack. When a QP is moved to the Error state, all outstanding receive work requests (RX WR) are completed with a Work Completion (WC) status of IB_WC_WR_FLUSH_ERR. The current Linux kernel implementation does not wait for these completions to finish before destroying the QP and freeing the associated link group memory. This premature freeing of memory can lead to use-after-free conditions when the tasklet context attempts to access the freed memory, resulting in kernel crashes or potential arbitrary code execution. The provided crash log demonstrates a kernel page fault triggered by an invalid memory access in the native_queued_spin_lock_slowpath function, indicating a serious stability and security risk. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems utilizing InfiniBand or SMC networking features, often found in high-performance computing and data center environments. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2022-48673 can be significant, especially for enterprises relying on Linux servers with InfiniBand or SMC networking capabilities. These systems are common in research institutions, financial services, telecommunications, and cloud service providers that require low-latency, high-throughput networking. Exploitation could lead to kernel crashes causing denial of service (DoS), disrupting critical services and potentially leading to data loss or corruption. In worst-case scenarios, if an attacker can leverage the use-after-free condition for arbitrary code execution, it could lead to privilege escalation and full system compromise. This risk is heightened in multi-tenant environments or where remote access to vulnerable systems is possible. The absence of known exploits suggests a window of opportunity for proactive patching before widespread attacks emerge.
Mitigation Recommendations
To mitigate CVE-2022-48673, European organizations should: 1) Immediately apply the official Linux kernel patches that address this vulnerability, ensuring all affected systems are updated to a secure kernel version. 2) Audit and monitor the use of InfiniBand and SMC networking features; if these are not required, consider disabling them to reduce the attack surface. 3) Implement strict access controls and network segmentation to limit exposure of vulnerable systems, especially those accessible from untrusted networks. 4) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation likelihood. 5) Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to this vulnerability. 6) Coordinate with hardware vendors for firmware updates or configuration guidance related to InfiniBand devices to ensure compatibility and security.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland, Italy
CVE-2022-48673: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/smc: Fix possible access to freed memory in link clear After modifying the QP to the Error state, all RX WR would be completed with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not wait for it is done, but destroy the QP and free the link group directly. So there is a risk that accessing the freed memory in tasklet context. Here is a crash example: BUG: unable to handle page fault for address: ffffffff8f220860 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 Oops: 0002 [#1] SMP PTI CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23 Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018 RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0 Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> _raw_spin_lock_irqsave+0x30/0x40 mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib] smc_wr_rx_tasklet_fn+0x56/0xa0 [smc] tasklet_action_common.isra.21+0x66/0x100 __do_softirq+0xd5/0x29c asm_call_irq_on_stack+0x12/0x20 </IRQ> do_softirq_own_stack+0x37/0x40 irq_exit_rcu+0x9d/0xa0 sysvec_call_function_single+0x34/0x80 asm_sysvec_call_function_single+0x12/0x20
AI-Powered Analysis
Technical Analysis
CVE-2022-48673 is a vulnerability identified in the Linux kernel, specifically within the Subnet Management Channel (SMC) networking code. The flaw arises from improper handling of memory during the transition of a Queue Pair (QP) to the Error state in the InfiniBand (IB) networking stack. When a QP is moved to the Error state, all outstanding receive work requests (RX WR) are completed with a Work Completion (WC) status of IB_WC_WR_FLUSH_ERR. The current Linux kernel implementation does not wait for these completions to finish before destroying the QP and freeing the associated link group memory. This premature freeing of memory can lead to use-after-free conditions when the tasklet context attempts to access the freed memory, resulting in kernel crashes or potential arbitrary code execution. The provided crash log demonstrates a kernel page fault triggered by an invalid memory access in the native_queued_spin_lock_slowpath function, indicating a serious stability and security risk. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems utilizing InfiniBand or SMC networking features, often found in high-performance computing and data center environments. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2022-48673 can be significant, especially for enterprises relying on Linux servers with InfiniBand or SMC networking capabilities. These systems are common in research institutions, financial services, telecommunications, and cloud service providers that require low-latency, high-throughput networking. Exploitation could lead to kernel crashes causing denial of service (DoS), disrupting critical services and potentially leading to data loss or corruption. In worst-case scenarios, if an attacker can leverage the use-after-free condition for arbitrary code execution, it could lead to privilege escalation and full system compromise. This risk is heightened in multi-tenant environments or where remote access to vulnerable systems is possible. The absence of known exploits suggests a window of opportunity for proactive patching before widespread attacks emerge.
Mitigation Recommendations
To mitigate CVE-2022-48673, European organizations should: 1) Immediately apply the official Linux kernel patches that address this vulnerability, ensuring all affected systems are updated to a secure kernel version. 2) Audit and monitor the use of InfiniBand and SMC networking features; if these are not required, consider disabling them to reduce the attack surface. 3) Implement strict access controls and network segmentation to limit exposure of vulnerable systems, especially those accessible from untrusted networks. 4) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitation likelihood. 5) Monitor system logs and kernel crash reports for signs of exploitation attempts or instability related to this vulnerability. 6) Coordinate with hardware vendors for firmware updates or configuration guidance related to InfiniBand devices to ensure compatibility and security.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:44:28.321Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5e39
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 6:44:50 PM
Last updated: 8/12/2025, 12:42:03 PM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.