CVE-2022-48687: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix out-of-bounds read when setting HMAC data. The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET.
AI Analysis
Technical Summary
CVE-2022-48687 is a vulnerability in the Linux kernel's IPv6 Segment Routing (SRv6) implementation, specifically in the handling of HMAC data used to sign IPv6 Segment Routing Headers. The vulnerability arises because the SECRETLEN attribute, which specifies the length of the secret key used for HMAC, is not properly validated against the actual length of the SECRET attribute. This decoupling allows an attacker to craft a netlink message with an invalid combination, such as an empty secret string but a SECRETLEN value of up to 64 bytes. Due to this lack of validation, the kernel performs an out-of-bounds (OOB) read of up to 64 bytes beyond the end of the skb (socket buffer) data structure, potentially reading into adjacent kernel memory (skb_shared_info). This OOB read occurs in the function seg6_genl_sethmac during a memcpy operation that copies the secret key data. The leaked data can then be read back by the attacker from userspace by dumping the HMAC state, potentially exposing sensitive kernel memory contents. The vulnerability does not appear to allow direct code execution or privilege escalation but can lead to information disclosure. The issue was fixed by ensuring that SECRETLEN cannot exceed the actual length of the SECRET attribute, preventing the OOB read. The vulnerability affects Linux kernel versions prior to the patch and is triggered via crafted netlink messages targeting the SRv6 HMAC configuration interface. Exploitation requires the ability to send netlink messages to the kernel, which typically requires elevated privileges or access to specific kernel interfaces. There are no known exploits in the wild at the time of publication.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments using Linux-based systems with IPv6 Segment Routing enabled and configured to use HMAC for segment routing headers. The impact is mainly an information disclosure vulnerability, where an attacker with sufficient privileges or access to the netlink interface could read sensitive kernel memory contents. This could potentially leak cryptographic material or other sensitive data residing in kernel memory, which might aid further attacks or reconnaissance. While the vulnerability does not directly allow remote code execution or privilege escalation, the information leakage could be leveraged in multi-stage attacks. Organizations relying on Linux servers for critical infrastructure, telecommunications, or cloud services that utilize SRv6 may be at higher risk. Given the increasing adoption of IPv6 and segment routing in European telecom networks and data centers, the vulnerability could affect network equipment and servers running vulnerable Linux kernels. Additionally, the vulnerability could impact virtualized environments and containers if the underlying host kernel is affected and netlink access is not properly restricted. The risk is mitigated somewhat by the requirement for local or privileged access to send crafted netlink messages, limiting remote exploitation potential. However, insider threats or compromised accounts could exploit this vulnerability to gain sensitive information.
Mitigation Recommendations
To mitigate CVE-2022-48687, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as possible. The fix ensures proper validation of the SECRETLEN attribute against the SECRET length, preventing out-of-bounds reads. 2) Restrict access to netlink interfaces, especially those related to SRv6 configuration, to trusted and authorized users only. Use mandatory access controls (e.g., SELinux, AppArmor) and Linux capabilities to limit who can send netlink messages. 3) Audit and monitor netlink message usage and kernel logs for suspicious activity that might indicate attempts to exploit this vulnerability. 4) If SRv6 HMAC functionality is not required, consider disabling it to reduce the attack surface. 5) In virtualized or containerized environments, ensure that containerized applications do not have unnecessary privileges to interact with netlink or kernel interfaces. 6) Conduct regular vulnerability scanning and kernel version assessments to identify and remediate vulnerable systems promptly. 7) Educate system administrators about the risks of improper netlink message handling and the importance of kernel updates. These measures go beyond generic advice by focusing on controlling netlink access and SRv6-specific configurations, which are the root vectors for exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48687: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix out-of-bounds read when setting HMAC data. The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET.
AI-Powered Analysis
Technical Analysis
CVE-2022-48687 is a vulnerability in the Linux kernel's IPv6 Segment Routing (SRv6) implementation, specifically in the handling of HMAC data used to sign IPv6 Segment Routing Headers. The vulnerability arises because the SECRETLEN attribute, which specifies the length of the secret key used for HMAC, is not properly validated against the actual length of the SECRET attribute. This decoupling allows an attacker to craft a netlink message with an invalid combination, such as an empty secret string but a SECRETLEN value of up to 64 bytes. Due to this lack of validation, the kernel performs an out-of-bounds (OOB) read of up to 64 bytes beyond the end of the skb (socket buffer) data structure, potentially reading into adjacent kernel memory (skb_shared_info). This OOB read occurs in the function seg6_genl_sethmac during a memcpy operation that copies the secret key data. The leaked data can then be read back by the attacker from userspace by dumping the HMAC state, potentially exposing sensitive kernel memory contents. The vulnerability does not appear to allow direct code execution or privilege escalation but can lead to information disclosure. The issue was fixed by ensuring that SECRETLEN cannot exceed the actual length of the SECRET attribute, preventing the OOB read. The vulnerability affects Linux kernel versions prior to the patch and is triggered via crafted netlink messages targeting the SRv6 HMAC configuration interface. Exploitation requires the ability to send netlink messages to the kernel, which typically requires elevated privileges or access to specific kernel interfaces. There are no known exploits in the wild at the time of publication.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments using Linux-based systems with IPv6 Segment Routing enabled and configured to use HMAC for segment routing headers. The impact is mainly an information disclosure vulnerability, where an attacker with sufficient privileges or access to the netlink interface could read sensitive kernel memory contents. This could potentially leak cryptographic material or other sensitive data residing in kernel memory, which might aid further attacks or reconnaissance. While the vulnerability does not directly allow remote code execution or privilege escalation, the information leakage could be leveraged in multi-stage attacks. Organizations relying on Linux servers for critical infrastructure, telecommunications, or cloud services that utilize SRv6 may be at higher risk. Given the increasing adoption of IPv6 and segment routing in European telecom networks and data centers, the vulnerability could affect network equipment and servers running vulnerable Linux kernels. Additionally, the vulnerability could impact virtualized environments and containers if the underlying host kernel is affected and netlink access is not properly restricted. The risk is mitigated somewhat by the requirement for local or privileged access to send crafted netlink messages, limiting remote exploitation potential. However, insider threats or compromised accounts could exploit this vulnerability to gain sensitive information.
Mitigation Recommendations
To mitigate CVE-2022-48687, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as possible. The fix ensures proper validation of the SECRETLEN attribute against the SECRET length, preventing out-of-bounds reads. 2) Restrict access to netlink interfaces, especially those related to SRv6 configuration, to trusted and authorized users only. Use mandatory access controls (e.g., SELinux, AppArmor) and Linux capabilities to limit who can send netlink messages. 3) Audit and monitor netlink message usage and kernel logs for suspicious activity that might indicate attempts to exploit this vulnerability. 4) If SRv6 HMAC functionality is not required, consider disabling it to reduce the attack surface. 5) In virtualized or containerized environments, ensure that containerized applications do not have unnecessary privileges to interact with netlink or kernel interfaces. 6) Conduct regular vulnerability scanning and kernel version assessments to identify and remediate vulnerable systems promptly. 7) Educate system administrators about the risks of improper netlink message handling and the importance of kernel updates. These measures go beyond generic advice by focusing on controlling netlink access and SRv6-specific configurations, which are the root vectors for exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-03T14:55:07.144Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5e65
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 6:55:26 PM
Last updated: 7/31/2025, 5:59:34 AM
Views: 12
Related Threats
CVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.