CVE-2022-48785: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: use rcu-safe version of ipv6_get_lladdr() Some time ago 8965779d2c0e ("ipv6,mcast: always hold idev->lock before mca_lock") switched ipv6_get_lladdr() to __ipv6_get_lladdr(), which is rcu-unsafe version. That was OK, because idev->lock was held for these codepaths. In 88e2ca308094 ("mld: convert ifmcaddr6 to RCU") these external locks were removed, so we probably need to restore the original rcu-safe call. Otherwise, we occasionally get a machine crashed/stalled with the following in dmesg: [ 3405.966610][T230589] general protection fault, probably for non-canonical address 0xdead00000000008c: 0000 [#1] SMP NOPTI [ 3405.982083][T230589] CPU: 44 PID: 230589 Comm: kworker/44:3 Tainted: G O 5.15.19-cloudflare-2022.2.1 #1 [ 3405.998061][T230589] Hardware name: SUPA-COOL-SERV [ 3406.009552][T230589] Workqueue: mld mld_ifc_work [ 3406.017224][T230589] RIP: 0010:__ipv6_get_lladdr+0x34/0x60 [ 3406.025780][T230589] Code: 57 10 48 83 c7 08 48 89 e5 48 39 d7 74 3e 48 8d 82 38 ff ff ff eb 13 48 8b 90 d0 00 00 00 48 8d 82 38 ff ff ff 48 39 d7 74 22 <66> 83 78 32 20 77 1b 75 e4 89 ca 23 50 2c 75 dd 48 8b 50 08 48 8b [ 3406.055748][T230589] RSP: 0018:ffff94e4b3fc3d10 EFLAGS: 00010202 [ 3406.065617][T230589] RAX: dead00000000005a RBX: ffff94e4b3fc3d30 RCX: 0000000000000040 [ 3406.077477][T230589] RDX: dead000000000122 RSI: ffff94e4b3fc3d30 RDI: ffff8c3a31431008 [ 3406.089389][T230589] RBP: ffff94e4b3fc3d10 R08: 0000000000000000 R09: 0000000000000000 [ 3406.101445][T230589] R10: ffff8c3a31430000 R11: 000000000000000b R12: ffff8c2c37887100 [ 3406.113553][T230589] R13: ffff8c3a39537000 R14: 00000000000005dc R15: ffff8c3a31431000 [ 3406.125730][T230589] FS: 0000000000000000(0000) GS:ffff8c3b9fc80000(0000) knlGS:0000000000000000 [ 3406.138992][T230589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3406.149895][T230589] CR2: 00007f0dfea1db60 CR3: 000000387b5f2000 CR4: 0000000000350ee0 [ 3406.162421][T230589] Call Trace: [ 3406.170235][T230589] <TASK> [ 3406.177736][T230589] mld_newpack+0xfe/0x1a0 [ 3406.186686][T230589] add_grhead+0x87/0xa0 [ 3406.195498][T230589] add_grec+0x485/0x4e0 [ 3406.204310][T230589] ? newidle_balance+0x126/0x3f0 [ 3406.214024][T230589] mld_ifc_work+0x15d/0x450 [ 3406.223279][T230589] process_one_work+0x1e6/0x380 [ 3406.232982][T230589] worker_thread+0x50/0x3a0 [ 3406.242371][T230589] ? rescuer_thread+0x360/0x360 [ 3406.252175][T230589] kthread+0x127/0x150 [ 3406.261197][T230589] ? set_kthread_struct+0x40/0x40 [ 3406.271287][T230589] ret_from_fork+0x22/0x30 [ 3406.280812][T230589] </TASK> [ 3406.288937][T230589] Modules linked in: ... [last unloaded: kheaders] [ 3406.476714][T230589] ---[ end trace 3525a7655f2f3b9e ]---
AI Analysis
Technical Summary
CVE-2022-48785 is a vulnerability identified in the Linux kernel's IPv6 multicast handling code. The issue stems from an unsafe use of the function ipv6_get_lladdr() within the multicast IPv6 code paths. Originally, the Linux kernel used ipv6_get_lladdr(), which is RCU-safe (Read-Copy-Update safe), ensuring safe concurrent access to network device link-layer addresses. However, a commit (hash 8965779d2c0e) replaced this with __ipv6_get_lladdr(), an RCU-unsafe variant, under the assumption that the idev->lock was held to protect the code path. Later, another commit (88e2ca308094) removed these external locks, making the use of the RCU-unsafe __ipv6_get_lladdr() unsafe. This race condition can lead to dereferencing invalid pointers, causing kernel crashes or stalls, as evidenced by the general protection fault and non-canonical address errors in kernel logs. The crash occurs in the mld_ifc_work kernel thread, which handles multicast listener discovery (MLD) for IPv6. The vulnerability can cause system instability and denial of service due to kernel panics or stalls. Although no known exploits are reported in the wild, the vulnerability affects Linux kernel versions containing the specified commits and is relevant for any systems using IPv6 multicast functionality. The root cause is a concurrency bug related to improper locking and unsafe pointer dereferencing in kernel networking code.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running vulnerable Linux kernel versions with IPv6 multicast enabled. The impact includes potential denial of service due to kernel crashes or system stalls, which can disrupt critical services such as web hosting, cloud infrastructure, telecommunications, and industrial control systems. Organizations relying on Linux-based routers, firewalls, or IoT gateways that utilize IPv6 multicast may experience network outages or degraded performance. Given the increasing adoption of IPv6 in Europe and the prevalence of Linux in enterprise and cloud environments, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and telecommunications. While no remote code execution or privilege escalation is indicated, the denial of service impact can still cause significant operational disruption and financial loss. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation or accidental crashes.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, restoring the use of the RCU-safe ipv6_get_lladdr() function in the multicast code path. Kernel updates should be applied promptly following vendor advisories. For environments where immediate patching is not feasible, organizations should consider disabling IPv6 multicast functionality if it is not required, as a temporary mitigation to reduce exposure. Network administrators should monitor system logs for signs of kernel panics or general protection faults related to IPv6 multicast. Additionally, implementing robust kernel crash recovery mechanisms and high availability configurations can minimize service disruption. Organizations should also audit their Linux kernel versions across infrastructure to identify vulnerable systems, including cloud instances, containers, and embedded devices. Coordinating with Linux distribution vendors for timely patches and backports is essential. Finally, maintaining strict network segmentation and limiting exposure of critical Linux systems to untrusted networks can reduce attack surface.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-48785: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: use rcu-safe version of ipv6_get_lladdr() Some time ago 8965779d2c0e ("ipv6,mcast: always hold idev->lock before mca_lock") switched ipv6_get_lladdr() to __ipv6_get_lladdr(), which is rcu-unsafe version. That was OK, because idev->lock was held for these codepaths. In 88e2ca308094 ("mld: convert ifmcaddr6 to RCU") these external locks were removed, so we probably need to restore the original rcu-safe call. Otherwise, we occasionally get a machine crashed/stalled with the following in dmesg: [ 3405.966610][T230589] general protection fault, probably for non-canonical address 0xdead00000000008c: 0000 [#1] SMP NOPTI [ 3405.982083][T230589] CPU: 44 PID: 230589 Comm: kworker/44:3 Tainted: G O 5.15.19-cloudflare-2022.2.1 #1 [ 3405.998061][T230589] Hardware name: SUPA-COOL-SERV [ 3406.009552][T230589] Workqueue: mld mld_ifc_work [ 3406.017224][T230589] RIP: 0010:__ipv6_get_lladdr+0x34/0x60 [ 3406.025780][T230589] Code: 57 10 48 83 c7 08 48 89 e5 48 39 d7 74 3e 48 8d 82 38 ff ff ff eb 13 48 8b 90 d0 00 00 00 48 8d 82 38 ff ff ff 48 39 d7 74 22 <66> 83 78 32 20 77 1b 75 e4 89 ca 23 50 2c 75 dd 48 8b 50 08 48 8b [ 3406.055748][T230589] RSP: 0018:ffff94e4b3fc3d10 EFLAGS: 00010202 [ 3406.065617][T230589] RAX: dead00000000005a RBX: ffff94e4b3fc3d30 RCX: 0000000000000040 [ 3406.077477][T230589] RDX: dead000000000122 RSI: ffff94e4b3fc3d30 RDI: ffff8c3a31431008 [ 3406.089389][T230589] RBP: ffff94e4b3fc3d10 R08: 0000000000000000 R09: 0000000000000000 [ 3406.101445][T230589] R10: ffff8c3a31430000 R11: 000000000000000b R12: ffff8c2c37887100 [ 3406.113553][T230589] R13: ffff8c3a39537000 R14: 00000000000005dc R15: ffff8c3a31431000 [ 3406.125730][T230589] FS: 0000000000000000(0000) GS:ffff8c3b9fc80000(0000) knlGS:0000000000000000 [ 3406.138992][T230589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3406.149895][T230589] CR2: 00007f0dfea1db60 CR3: 000000387b5f2000 CR4: 0000000000350ee0 [ 3406.162421][T230589] Call Trace: [ 3406.170235][T230589] <TASK> [ 3406.177736][T230589] mld_newpack+0xfe/0x1a0 [ 3406.186686][T230589] add_grhead+0x87/0xa0 [ 3406.195498][T230589] add_grec+0x485/0x4e0 [ 3406.204310][T230589] ? newidle_balance+0x126/0x3f0 [ 3406.214024][T230589] mld_ifc_work+0x15d/0x450 [ 3406.223279][T230589] process_one_work+0x1e6/0x380 [ 3406.232982][T230589] worker_thread+0x50/0x3a0 [ 3406.242371][T230589] ? rescuer_thread+0x360/0x360 [ 3406.252175][T230589] kthread+0x127/0x150 [ 3406.261197][T230589] ? set_kthread_struct+0x40/0x40 [ 3406.271287][T230589] ret_from_fork+0x22/0x30 [ 3406.280812][T230589] </TASK> [ 3406.288937][T230589] Modules linked in: ... [last unloaded: kheaders] [ 3406.476714][T230589] ---[ end trace 3525a7655f2f3b9e ]---
AI-Powered Analysis
Technical Analysis
CVE-2022-48785 is a vulnerability identified in the Linux kernel's IPv6 multicast handling code. The issue stems from an unsafe use of the function ipv6_get_lladdr() within the multicast IPv6 code paths. Originally, the Linux kernel used ipv6_get_lladdr(), which is RCU-safe (Read-Copy-Update safe), ensuring safe concurrent access to network device link-layer addresses. However, a commit (hash 8965779d2c0e) replaced this with __ipv6_get_lladdr(), an RCU-unsafe variant, under the assumption that the idev->lock was held to protect the code path. Later, another commit (88e2ca308094) removed these external locks, making the use of the RCU-unsafe __ipv6_get_lladdr() unsafe. This race condition can lead to dereferencing invalid pointers, causing kernel crashes or stalls, as evidenced by the general protection fault and non-canonical address errors in kernel logs. The crash occurs in the mld_ifc_work kernel thread, which handles multicast listener discovery (MLD) for IPv6. The vulnerability can cause system instability and denial of service due to kernel panics or stalls. Although no known exploits are reported in the wild, the vulnerability affects Linux kernel versions containing the specified commits and is relevant for any systems using IPv6 multicast functionality. The root cause is a concurrency bug related to improper locking and unsafe pointer dereferencing in kernel networking code.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running vulnerable Linux kernel versions with IPv6 multicast enabled. The impact includes potential denial of service due to kernel crashes or system stalls, which can disrupt critical services such as web hosting, cloud infrastructure, telecommunications, and industrial control systems. Organizations relying on Linux-based routers, firewalls, or IoT gateways that utilize IPv6 multicast may experience network outages or degraded performance. Given the increasing adoption of IPv6 in Europe and the prevalence of Linux in enterprise and cloud environments, the vulnerability could affect a broad range of sectors including finance, healthcare, government, and telecommunications. While no remote code execution or privilege escalation is indicated, the denial of service impact can still cause significant operational disruption and financial loss. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation or accidental crashes.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, restoring the use of the RCU-safe ipv6_get_lladdr() function in the multicast code path. Kernel updates should be applied promptly following vendor advisories. For environments where immediate patching is not feasible, organizations should consider disabling IPv6 multicast functionality if it is not required, as a temporary mitigation to reduce exposure. Network administrators should monitor system logs for signs of kernel panics or general protection faults related to IPv6 multicast. Additionally, implementing robust kernel crash recovery mechanisms and high availability configurations can minimize service disruption. Organizations should also audit their Linux kernel versions across infrastructure to identify vulnerable systems, including cloud instances, containers, and embedded devices. Coordinating with Linux distribution vendors for timely patches and backports is essential. Finally, maintaining strict network segmentation and limiting exposure of critical Linux systems to untrusted networks can reduce attack surface.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-20T11:09:39.069Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe616e
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 9:24:56 PM
Last updated: 8/3/2025, 12:37:55 AM
Views: 13
Related Threats
CVE-2025-8987: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8986: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-31987: CWE-405 Asymmetric Resource Consumption in HCL Software Connections Docs
MediumCVE-2025-8985: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8984: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.