CVE-2022-48720 is a vulnerability identified in the Linux kernel's MACsec (Media Access Control Security) implementation, specifically related to the handling of the NETDEV_UNREGISTER event. MACsec is a security protocol that provides secure communication on Ethernet links by encrypting and authenticating data at the MAC layer. The vulnerability arises because the current MACsec network device notification handler only releases software (SW) resources when a network device is unregistered (NETDEV_UNREGISTER event). However, it fails to notify the underlying hardware (HW) offload driver to clean up its MACsec offload resources. This leads to a resource leak in cases where MACsec hardware offloading is used. The root cause is that the offload handling was performed in the macsec_dellink() function, which does not cover the NETDEV_UNREGISTER event properly. The fix involves moving the offload handling to macsec_common_dellink(), ensuring that when a network device is unregistered, the underlying driver is correctly informed to release its hardware offload resources. This correction prevents resource leaks that could degrade system performance or stability over time. The affected Linux kernel versions are identified by specific commit hashes, indicating that this is a source-level vulnerability affecting certain kernel builds. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations relying on Linux systems with MACsec hardware offload capabilities, this vulnerability could lead to resource leaks in network devices when they are unregistered. Over time, such leaks may cause degraded network performance, increased latency, or even system instability, particularly in environments with frequent network device reconfigurations or dynamic network topologies such as data centers, telecom infrastructure, or cloud providers. Confidentiality and integrity of data are not directly compromised by this vulnerability, as it does not involve bypassing encryption or authentication mechanisms. However, availability could be impacted due to resource exhaustion leading to potential denial of service conditions or degraded network throughput. Organizations with high network security requirements using MACsec offload hardware may experience operational disruptions if this issue is not addressed. Given the lack of known exploits, the immediate risk is moderate, but the potential for indirect impact on availability in critical infrastructure is notable.

To mitigate this vulnerability, European organizations should promptly update their Linux kernel to a version that includes the fix for CVE-2022-48720. Specifically, they should ensure that their kernel source or binary packages incorporate the patch that moves offload handling to macsec_common_dellink() for proper resource cleanup. Network administrators should audit their systems to identify usage of MACsec hardware offload features and monitor network device unregister events for abnormal resource consumption or performance degradation. In environments where immediate patching is not feasible, temporarily disabling MACsec hardware offload could reduce the risk of resource leaks, though this may impact network performance. Additionally, implementing robust monitoring and alerting on network device resource usage can help detect early signs of resource exhaustion. Coordination with hardware vendors to confirm compatibility with patched kernel versions is also recommended to avoid regressions.