CVE-2022-48719: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work syzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]: kworker/0:16/14617 is trying to acquire lock: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652 [...] but task is already holding lock: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572 The neighbor entry turned to NUD_FAILED state, where __neigh_event_send() triggered an immediate probe as per commit cd28ca0a3dd1 ("neigh: reduce arp latency") via neigh_probe() given table lock was held. One option to fix this situation is to defer the neigh_probe() back to the neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case of NTF_MANAGED, this deferral is acceptable given this only happens on actual failure state and regular / expected state is NUD_VALID with the entry already present. The fix adds a parameter to __neigh_event_send() in order to communicate whether immediate probe is allowed or disallowed. Existing call-sites of neigh_event_send() default as-is to immediate probe. However, the neigh_managed_work() disables it via use of neigh_event_send_probe(). [0] <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2956 [inline] check_deadlock kernel/locking/lockdep.c:2999 [inline] validate_chain kernel/locking/lockdep.c:3788 [inline] __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027 lock_acquire kernel/locking/lockdep.c:5639 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604 __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline] _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334 ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652 ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123 __ip6_finish_output net/ipv6/ip6_output.c:191 [inline] __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170 ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224 dst_output include/net/dst.h:451 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508 ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650 ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742 neigh_probe+0xc2/0x110 net/core/neighbour.c:1040 __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201 neigh_event_send include/net/neighbour.h:470 [inline] neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 worker_thread+0x657/0x1110 kernel/workqueue.c:2454 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK>
AI Analysis
Technical Summary
CVE-2022-48719 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the neighbor (neigh) management code. The flaw arises from a deadlock condition triggered when the kernel attempts to handle neighbor entries that have transitioned to the NUD_FAILED state. The vulnerability is rooted in the interaction between immediate probing triggered by __neigh_event_send() and the locking mechanism protecting the neighbor table. When a neighbor entry fails (NUD_FAILED), the kernel tries to send an immediate probe (neigh_probe) while holding a lock on the neighbor table. This immediate probe invocation while holding the lock leads to a deadlock because the probe function attempts to acquire the same lock already held by the current task. The deadlock was reproducible using the syzkaller kernel fuzzer, which demonstrated that the kworker thread attempting to acquire the lock was already holding it, causing the system to hang. The root cause is linked to a recent change (commit cd28ca0a3dd1) intended to reduce ARP latency by triggering immediate probes on failure states. The fix involves deferring the immediate probe back to the neigh_timer_handler, similar to the behavior before the commit, but only for NTF_MANAGED entries where this deferral is acceptable. This is achieved by adding a parameter to __neigh_event_send() to control whether immediate probing is allowed, preventing the deadlock scenario. This vulnerability affects Linux kernel versions identified by the commit hash 7482e3841d520a368426ac196720601687e2dc47 and was published on June 20, 2024. There are no known exploits in the wild currently, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, which are common in servers, network appliances, and embedded devices. The deadlock can cause kernel worker threads to hang, potentially leading to system instability, degraded network performance, or denial of service (DoS) conditions. This can disrupt critical services, especially in environments relying heavily on Linux-based infrastructure such as cloud providers, telecommunications, financial institutions, and government agencies. The impact on confidentiality and integrity is minimal since the vulnerability does not directly allow code execution or privilege escalation. However, availability is significantly affected due to the potential for deadlocks causing system hangs or crashes. In networked environments, this could lead to outages or degraded service quality, impacting business continuity and operational reliability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the patch for CVE-2022-48719 as soon as it becomes available. Until patches are applied, organizations can mitigate risk by: 1) Monitoring kernel logs for signs of deadlocks or related errors in the neighbor subsystem. 2) Limiting exposure of vulnerable systems to untrusted networks to reduce the chance of triggering the deadlock. 3) Employing kernel hardening and monitoring tools that can detect and alert on kernel worker thread stalls or hangs. 4) For critical systems, consider implementing redundancy and failover mechanisms to maintain availability in case of a deadlock-induced outage. 5) Engage with Linux distribution vendors to obtain backported patches if immediate kernel upgrades are not feasible. 6) Review and restrict network configurations that may cause frequent neighbor state transitions to NUD_FAILED, reducing the likelihood of triggering the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48719: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work syzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]: kworker/0:16/14617 is trying to acquire lock: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652 [...] but task is already holding lock: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572 The neighbor entry turned to NUD_FAILED state, where __neigh_event_send() triggered an immediate probe as per commit cd28ca0a3dd1 ("neigh: reduce arp latency") via neigh_probe() given table lock was held. One option to fix this situation is to defer the neigh_probe() back to the neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case of NTF_MANAGED, this deferral is acceptable given this only happens on actual failure state and regular / expected state is NUD_VALID with the entry already present. The fix adds a parameter to __neigh_event_send() in order to communicate whether immediate probe is allowed or disallowed. Existing call-sites of neigh_event_send() default as-is to immediate probe. However, the neigh_managed_work() disables it via use of neigh_event_send_probe(). [0] <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2956 [inline] check_deadlock kernel/locking/lockdep.c:2999 [inline] validate_chain kernel/locking/lockdep.c:3788 [inline] __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027 lock_acquire kernel/locking/lockdep.c:5639 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604 __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline] _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334 ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652 ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123 __ip6_finish_output net/ipv6/ip6_output.c:191 [inline] __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170 ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224 dst_output include/net/dst.h:451 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508 ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650 ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742 neigh_probe+0xc2/0x110 net/core/neighbour.c:1040 __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201 neigh_event_send include/net/neighbour.h:470 [inline] neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 worker_thread+0x657/0x1110 kernel/workqueue.c:2454 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2022-48719 is a vulnerability identified in the Linux kernel's networking subsystem, specifically within the neighbor (neigh) management code. The flaw arises from a deadlock condition triggered when the kernel attempts to handle neighbor entries that have transitioned to the NUD_FAILED state. The vulnerability is rooted in the interaction between immediate probing triggered by __neigh_event_send() and the locking mechanism protecting the neighbor table. When a neighbor entry fails (NUD_FAILED), the kernel tries to send an immediate probe (neigh_probe) while holding a lock on the neighbor table. This immediate probe invocation while holding the lock leads to a deadlock because the probe function attempts to acquire the same lock already held by the current task. The deadlock was reproducible using the syzkaller kernel fuzzer, which demonstrated that the kworker thread attempting to acquire the lock was already holding it, causing the system to hang. The root cause is linked to a recent change (commit cd28ca0a3dd1) intended to reduce ARP latency by triggering immediate probes on failure states. The fix involves deferring the immediate probe back to the neigh_timer_handler, similar to the behavior before the commit, but only for NTF_MANAGED entries where this deferral is acceptable. This is achieved by adding a parameter to __neigh_event_send() to control whether immediate probing is allowed, preventing the deadlock scenario. This vulnerability affects Linux kernel versions identified by the commit hash 7482e3841d520a368426ac196720601687e2dc47 and was published on June 20, 2024. There are no known exploits in the wild currently, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, which are common in servers, network appliances, and embedded devices. The deadlock can cause kernel worker threads to hang, potentially leading to system instability, degraded network performance, or denial of service (DoS) conditions. This can disrupt critical services, especially in environments relying heavily on Linux-based infrastructure such as cloud providers, telecommunications, financial institutions, and government agencies. The impact on confidentiality and integrity is minimal since the vulnerability does not directly allow code execution or privilege escalation. However, availability is significantly affected due to the potential for deadlocks causing system hangs or crashes. In networked environments, this could lead to outages or degraded service quality, impacting business continuity and operational reliability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the patch for CVE-2022-48719 as soon as it becomes available. Until patches are applied, organizations can mitigate risk by: 1) Monitoring kernel logs for signs of deadlocks or related errors in the neighbor subsystem. 2) Limiting exposure of vulnerable systems to untrusted networks to reduce the chance of triggering the deadlock. 3) Employing kernel hardening and monitoring tools that can detect and alert on kernel worker thread stalls or hangs. 4) For critical systems, consider implementing redundancy and failover mechanisms to maintain availability in case of a deadlock-induced outage. 5) Engage with Linux distribution vendors to obtain backported patches if immediate kernel upgrades are not feasible. 6) Review and restrict network configurations that may cause frequent neighbor state transitions to NUD_FAILED, reducing the likelihood of triggering the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-20T11:09:39.051Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5f4a
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 7:40:43 PM
Last updated: 8/15/2025, 11:42:00 AM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.