CVE-2022-48760: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix hang in usb_kill_urb by adding memory barriers The syzbot fuzzer has identified a bug in which processes hang waiting for usb_kill_urb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received. The reason is memory-access ordering on SMP systems. In outline form, usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on different CPUs perform the following actions: CPU 0 CPU 1 ---------------------------- --------------------------------- usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->reject); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is: write urb->reject, then read urb->use_count; whereas the overall pattern of accesses on CPU 1 is: write urb->use_count, then read urb->reject. This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->use_count while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usb_kill_urb(). The same pattern of accesses occurs in usb_poison_urb() and the failure pathway of usb_hcd_submit_urb(). The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomic_inc() and atomic_dec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smp_mb__after_atomic() memory barrier in the various routines to obtain the desired effect. This patch adds the necessary memory barriers.
AI Analysis
Technical Summary
CVE-2022-48760 is a concurrency-related vulnerability in the Linux kernel's USB core subsystem. The issue arises from improper memory ordering on symmetric multiprocessing (SMP) systems during the execution of usb_kill_urb() and __usb_hcd_giveback_urb() functions, which manage USB Request Blocks (URBs). Specifically, the problem is due to the lack of appropriate memory barriers around atomic operations on urb->reject and urb->use_count variables. On SMP systems, the CPUs may reorder memory accesses, causing a scenario known as Store Buffering (SB). In this case, CPU 0 writes to urb->reject and then reads urb->use_count, while CPU 1 writes urb->use_count and then reads urb->reject. Without memory barriers, these reads can be executed before the writes, leading to inconsistent views of these variables across CPUs. Consequently, usb_kill_urb() can hang indefinitely because CPU 0 waits on a condition that never becomes true, as it misses the wakeup notification triggered by CPU 1. This hang affects USB device removal or cancellation operations, potentially causing system instability or denial of service. The vulnerability also affects usb_poison_urb() and the failure path of usb_hcd_submit_urb(). The fix involves adding full memory barriers (smp_mb__after_atomic()) after atomic increments and decrements to enforce proper ordering and ensure wakeup notifications are reliably delivered. This patch prevents the hang by guaranteeing that the updates to urb->reject and urb->use_count are seen in the correct order across CPUs. The vulnerability was identified by the syzbot fuzzer and affects Linux kernel versions prior to the patch commit identified by the hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability could lead to system hangs or denial of service on Linux systems that handle USB devices, particularly those running on SMP architectures. Since Linux is widely used in servers, embedded systems, and industrial control systems across Europe, the impact could affect critical infrastructure, enterprise servers, and endpoint devices relying on USB peripherals. The hang in usb_kill_urb() may cause USB device removal or cancellation operations to stall, potentially leading to degraded system performance or requiring manual intervention to recover. In environments where USB devices are used for security tokens, storage, or communication, this could disrupt business operations or security workflows. Although the vulnerability does not directly lead to privilege escalation or data leakage, the denial of service effect can be significant in high-availability or real-time systems. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future attacks or accidental hangs triggered by normal USB device operations.
Mitigation Recommendations
European organizations should promptly update their Linux kernel versions to include the patch that adds the necessary memory barriers to the USB core subsystem. This involves applying the kernel update identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 or later. For systems where immediate patching is not feasible, administrators should monitor USB device activity closely and consider limiting or controlling USB device usage to reduce exposure. Implementing kernel live patching solutions where available can minimize downtime. Additionally, organizations should audit their SMP Linux systems to identify those running affected kernel versions and prioritize patching on critical infrastructure and systems with high USB device interaction. Testing patches in staging environments before deployment is recommended to avoid regressions. Finally, maintaining robust system monitoring and alerting for USB-related hangs or kernel stalls can help detect exploitation attempts or accidental triggers early.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-48760: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix hang in usb_kill_urb by adding memory barriers The syzbot fuzzer has identified a bug in which processes hang waiting for usb_kill_urb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received. The reason is memory-access ordering on SMP systems. In outline form, usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on different CPUs perform the following actions: CPU 0 CPU 1 ---------------------------- --------------------------------- usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->reject); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is: write urb->reject, then read urb->use_count; whereas the overall pattern of accesses on CPU 1 is: write urb->use_count, then read urb->reject. This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->use_count while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usb_kill_urb(). The same pattern of accesses occurs in usb_poison_urb() and the failure pathway of usb_hcd_submit_urb(). The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomic_inc() and atomic_dec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smp_mb__after_atomic() memory barrier in the various routines to obtain the desired effect. This patch adds the necessary memory barriers.
AI-Powered Analysis
Technical Analysis
CVE-2022-48760 is a concurrency-related vulnerability in the Linux kernel's USB core subsystem. The issue arises from improper memory ordering on symmetric multiprocessing (SMP) systems during the execution of usb_kill_urb() and __usb_hcd_giveback_urb() functions, which manage USB Request Blocks (URBs). Specifically, the problem is due to the lack of appropriate memory barriers around atomic operations on urb->reject and urb->use_count variables. On SMP systems, the CPUs may reorder memory accesses, causing a scenario known as Store Buffering (SB). In this case, CPU 0 writes to urb->reject and then reads urb->use_count, while CPU 1 writes urb->use_count and then reads urb->reject. Without memory barriers, these reads can be executed before the writes, leading to inconsistent views of these variables across CPUs. Consequently, usb_kill_urb() can hang indefinitely because CPU 0 waits on a condition that never becomes true, as it misses the wakeup notification triggered by CPU 1. This hang affects USB device removal or cancellation operations, potentially causing system instability or denial of service. The vulnerability also affects usb_poison_urb() and the failure path of usb_hcd_submit_urb(). The fix involves adding full memory barriers (smp_mb__after_atomic()) after atomic increments and decrements to enforce proper ordering and ensure wakeup notifications are reliably delivered. This patch prevents the hang by guaranteeing that the updates to urb->reject and urb->use_count are seen in the correct order across CPUs. The vulnerability was identified by the syzbot fuzzer and affects Linux kernel versions prior to the patch commit identified by the hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability could lead to system hangs or denial of service on Linux systems that handle USB devices, particularly those running on SMP architectures. Since Linux is widely used in servers, embedded systems, and industrial control systems across Europe, the impact could affect critical infrastructure, enterprise servers, and endpoint devices relying on USB peripherals. The hang in usb_kill_urb() may cause USB device removal or cancellation operations to stall, potentially leading to degraded system performance or requiring manual intervention to recover. In environments where USB devices are used for security tokens, storage, or communication, this could disrupt business operations or security workflows. Although the vulnerability does not directly lead to privilege escalation or data leakage, the denial of service effect can be significant in high-availability or real-time systems. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future attacks or accidental hangs triggered by normal USB device operations.
Mitigation Recommendations
European organizations should promptly update their Linux kernel versions to include the patch that adds the necessary memory barriers to the USB core subsystem. This involves applying the kernel update identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 or later. For systems where immediate patching is not feasible, administrators should monitor USB device activity closely and consider limiting or controlling USB device usage to reduce exposure. Implementing kernel live patching solutions where available can minimize downtime. Additionally, organizations should audit their SMP Linux systems to identify those running affected kernel versions and prioritize patching on critical infrastructure and systems with high USB device interaction. Testing patches in staging environments before deployment is recommended to avoid regressions. Finally, maintaining robust system monitoring and alerting for USB-related hangs or kernel stalls can help detect exploitation attempts or accidental triggers early.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-20T11:09:39.059Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe60c3
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 8:41:57 PM
Last updated: 8/11/2025, 11:36:07 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.