CVE-2022-48688: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix kernel crash during module removal The driver incorrectly frees client instance and subsequent i40e module removal leads to kernel crash. Reproducer: 1. Do ethtool offline test followed immediately by another one host# ethtool -t eth0 offline; ethtool -t eth0 offline 2. Remove recursively irdma module that also removes i40e module host# modprobe -r irdma Result: [ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting [ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished [ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting [ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished [ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110 [ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2 [ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01 [ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1 [ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 8687.768755] #PF: supervisor read access in kernel mode [ 8687.773895] #PF: error_code(0x0000) - not-present page [ 8687.779034] PGD 0 P4D 0 [ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2 [ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019 [ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e] [ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b [ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202 [ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000 [ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000 [ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000 [ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0 [ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008 [ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000 [ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0 [ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 8687.905572] PKRU: 55555554 [ 8687.908286] Call Trace: [ 8687.910737] <TASK> [ 8687.912843] i40e_remove+0x2c0/0x330 [i40e] [ 8687.917040] pci_device_remove+0x33/0xa0 [ 8687.920962] device_release_driver_internal+0x1aa/0x230 [ 8687.926188] driver_detach+0x44/0x90 [ 8687.929770] bus_remove_driver+0x55/0xe0 [ 8687.933693] pci_unregister_driver+0x2a/0xb0 [ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e] Two offline tests cause IRDMA driver failure (ETIMEDOUT) and this failure is indicated back to i40e_client_subtask() that calls i40e_client_del_instance() to free client instance referenced by pf->cinst and sets this pointer to NULL. During the module removal i40e_remove() calls i40e_lan_del_device() that dereferences pf->cinst that is NULL -> crash. Do not remove client instance when client open callbacks fails and just clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs to take care about this situation (when netdev is up and client is NOT opened) in i40e_notify_client_of_netdev_close() and calls client close callback only when __I40E_CLIENT_INSTANCE_OPENED is set.
AI Analysis
Technical Summary
CVE-2022-48688 is a vulnerability in the Linux kernel's i40e network driver, which is responsible for managing Intel Ethernet devices. The flaw arises during the removal of the i40e kernel module, specifically when the driver incorrectly frees a client instance pointer (pf->cinst) and subsequently attempts to dereference this now NULL pointer during module removal. This leads to a kernel crash due to a NULL pointer dereference. The vulnerability can be triggered by performing two consecutive offline ethtool tests on an Ethernet interface managed by the i40e driver, followed by the recursive removal of the irdma module, which also removes the i40e module. The root cause is that the IRDMA driver fails hardware initialization after the offline tests, causing the i40e client instance to be freed prematurely. Later, during module removal, the i40e_remove() function calls i40e_lan_del_device(), which dereferences the freed client instance pointer, resulting in a kernel panic. The fix involves not removing the client instance when client open callbacks fail but instead clearing a specific flag (__I40E_CLIENT_INSTANCE_OPENED). The driver also ensures that client close callbacks are only called when the client instance is properly opened. This vulnerability can cause denial of service (DoS) by crashing the kernel, impacting system stability and availability. It affects Linux kernel versions containing the vulnerable i40e driver code prior to the patch. No known exploits are reported in the wild as of the publication date. The vulnerability requires local access to execute the sequence of commands that trigger the crash, and it does not appear to allow privilege escalation or remote code execution directly. However, the resulting kernel crash can disrupt network services and potentially lead to system downtime.
Potential Impact
For European organizations, especially those relying on Linux servers with Intel Ethernet hardware using the i40e driver, this vulnerability poses a risk of system instability and denial of service. Data centers, cloud providers, telecom operators, and enterprises using Linux-based infrastructure with affected network cards could experience unexpected kernel crashes during maintenance operations or automated scripts that perform network interface tests or module removals. This could lead to service interruptions, impacting business continuity and availability of critical applications. Organizations running high-availability or real-time systems may be particularly affected if the vulnerability is triggered unintentionally during routine operations. Although exploitation requires local access and specific command sequences, insider threats or compromised internal systems could leverage this to cause disruption. The vulnerability does not directly expose confidentiality or integrity risks but impacts availability, which is critical for many European industries including finance, healthcare, and manufacturing. Additionally, regulatory requirements such as the EU NIS Directive emphasize the importance of maintaining service availability, making mitigation essential to avoid compliance issues.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that address CVE-2022-48688 as soon as they become available from their Linux distribution vendors. Until patches are applied, organizations should avoid performing consecutive offline ethtool tests on interfaces managed by the i40e driver followed by module removals, especially the irdma module, to prevent triggering the crash. System administrators should audit and restrict local user permissions to prevent unauthorized execution of commands that could trigger this vulnerability. Monitoring kernel logs for signs of i40e driver errors or unexpected module removals can help detect attempts to exploit this issue. For environments using automated scripts or orchestration tools that manage network interfaces or kernel modules, review and update these processes to avoid the problematic sequence of operations. Additionally, consider isolating critical network infrastructure on hardened hosts with strict access controls to minimize the risk of local exploitation. Regularly update Linux kernels and drivers to incorporate security fixes and maintain system stability. Finally, implement robust backup and recovery procedures to minimize downtime in case of kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48688: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix kernel crash during module removal The driver incorrectly frees client instance and subsequent i40e module removal leads to kernel crash. Reproducer: 1. Do ethtool offline test followed immediately by another one host# ethtool -t eth0 offline; ethtool -t eth0 offline 2. Remove recursively irdma module that also removes i40e module host# modprobe -r irdma Result: [ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting [ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished [ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting [ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished [ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110 [ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2 [ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01 [ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1 [ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 8687.768755] #PF: supervisor read access in kernel mode [ 8687.773895] #PF: error_code(0x0000) - not-present page [ 8687.779034] PGD 0 P4D 0 [ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2 [ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019 [ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e] [ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b [ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202 [ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000 [ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000 [ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000 [ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0 [ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008 [ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000 [ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0 [ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 8687.905572] PKRU: 55555554 [ 8687.908286] Call Trace: [ 8687.910737] <TASK> [ 8687.912843] i40e_remove+0x2c0/0x330 [i40e] [ 8687.917040] pci_device_remove+0x33/0xa0 [ 8687.920962] device_release_driver_internal+0x1aa/0x230 [ 8687.926188] driver_detach+0x44/0x90 [ 8687.929770] bus_remove_driver+0x55/0xe0 [ 8687.933693] pci_unregister_driver+0x2a/0xb0 [ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e] Two offline tests cause IRDMA driver failure (ETIMEDOUT) and this failure is indicated back to i40e_client_subtask() that calls i40e_client_del_instance() to free client instance referenced by pf->cinst and sets this pointer to NULL. During the module removal i40e_remove() calls i40e_lan_del_device() that dereferences pf->cinst that is NULL -> crash. Do not remove client instance when client open callbacks fails and just clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs to take care about this situation (when netdev is up and client is NOT opened) in i40e_notify_client_of_netdev_close() and calls client close callback only when __I40E_CLIENT_INSTANCE_OPENED is set.
AI-Powered Analysis
Technical Analysis
CVE-2022-48688 is a vulnerability in the Linux kernel's i40e network driver, which is responsible for managing Intel Ethernet devices. The flaw arises during the removal of the i40e kernel module, specifically when the driver incorrectly frees a client instance pointer (pf->cinst) and subsequently attempts to dereference this now NULL pointer during module removal. This leads to a kernel crash due to a NULL pointer dereference. The vulnerability can be triggered by performing two consecutive offline ethtool tests on an Ethernet interface managed by the i40e driver, followed by the recursive removal of the irdma module, which also removes the i40e module. The root cause is that the IRDMA driver fails hardware initialization after the offline tests, causing the i40e client instance to be freed prematurely. Later, during module removal, the i40e_remove() function calls i40e_lan_del_device(), which dereferences the freed client instance pointer, resulting in a kernel panic. The fix involves not removing the client instance when client open callbacks fail but instead clearing a specific flag (__I40E_CLIENT_INSTANCE_OPENED). The driver also ensures that client close callbacks are only called when the client instance is properly opened. This vulnerability can cause denial of service (DoS) by crashing the kernel, impacting system stability and availability. It affects Linux kernel versions containing the vulnerable i40e driver code prior to the patch. No known exploits are reported in the wild as of the publication date. The vulnerability requires local access to execute the sequence of commands that trigger the crash, and it does not appear to allow privilege escalation or remote code execution directly. However, the resulting kernel crash can disrupt network services and potentially lead to system downtime.
Potential Impact
For European organizations, especially those relying on Linux servers with Intel Ethernet hardware using the i40e driver, this vulnerability poses a risk of system instability and denial of service. Data centers, cloud providers, telecom operators, and enterprises using Linux-based infrastructure with affected network cards could experience unexpected kernel crashes during maintenance operations or automated scripts that perform network interface tests or module removals. This could lead to service interruptions, impacting business continuity and availability of critical applications. Organizations running high-availability or real-time systems may be particularly affected if the vulnerability is triggered unintentionally during routine operations. Although exploitation requires local access and specific command sequences, insider threats or compromised internal systems could leverage this to cause disruption. The vulnerability does not directly expose confidentiality or integrity risks but impacts availability, which is critical for many European industries including finance, healthcare, and manufacturing. Additionally, regulatory requirements such as the EU NIS Directive emphasize the importance of maintaining service availability, making mitigation essential to avoid compliance issues.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that address CVE-2022-48688 as soon as they become available from their Linux distribution vendors. Until patches are applied, organizations should avoid performing consecutive offline ethtool tests on interfaces managed by the i40e driver followed by module removals, especially the irdma module, to prevent triggering the crash. System administrators should audit and restrict local user permissions to prevent unauthorized execution of commands that could trigger this vulnerability. Monitoring kernel logs for signs of i40e driver errors or unexpected module removals can help detect attempts to exploit this issue. For environments using automated scripts or orchestration tools that manage network interfaces or kernel modules, review and update these processes to avoid the problematic sequence of operations. Additionally, consider isolating critical network infrastructure on hardened hosts with strict access controls to minimize the risk of local exploitation. Regularly update Linux kernels and drivers to incorporate security fixes and maintain system stability. Finally, implement robust backup and recovery procedures to minimize downtime in case of kernel crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-03T14:55:07.144Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5e74
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 6:55:52 PM
Last updated: 7/31/2025, 10:40:38 AM
Views: 14
Related Threats
CVE-2025-8938: Backdoor in TOTOLINK N350R
MediumCVE-2025-8937: Command Injection in TOTOLINK N350R
MediumCVE-2025-8936: SQL Injection in 1000 Projects Sales Management System
MediumCVE-2025-5942: CWE-122 Heap-based Buffer Overflow in Netskope Netskope Client
MediumCVE-2025-5941: CWE-125 Out-of-Bounds Read in Netskope Netskope Client
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.