CVE-2022-48796: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: iommu: Fix potential use-after-free during probe Kasan has reported the following use after free on dev->iommu. when a device probe fails and it is in process of freeing dev->iommu in dev_iommu_free function, a deferred_probe_work_func runs in parallel and tries to access dev->iommu->fwspec in of_iommu_configure path thus causing use after free. BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4 Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153 Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x0/0x33c show_stack+0x18/0x24 dump_stack_lvl+0x16c/0x1e0 print_address_description+0x84/0x39c __kasan_report+0x184/0x308 kasan_report+0x50/0x78 __asan_load8+0xc0/0xc4 of_iommu_configure+0xb4/0x4a4 of_dma_configure_id+0x2fc/0x4d4 platform_dma_configure+0x40/0x5c really_probe+0x1b4/0xb74 driver_probe_device+0x11c/0x228 __device_attach_driver+0x14c/0x304 bus_for_each_drv+0x124/0x1b0 __device_attach+0x25c/0x334 device_initial_probe+0x24/0x34 bus_probe_device+0x78/0x134 deferred_probe_work_func+0x130/0x1a8 process_one_work+0x4c8/0x970 worker_thread+0x5c8/0xaec kthread+0x1f8/0x220 ret_from_fork+0x10/0x18 Allocated by task 1: ____kasan_kmalloc+0xd4/0x114 __kasan_kmalloc+0x10/0x1c kmem_cache_alloc_trace+0xe4/0x3d4 __iommu_probe_device+0x90/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Freed by task 1: kasan_set_track+0x4c/0x84 kasan_set_free_info+0x28/0x4c ____kasan_slab_free+0x120/0x15c __kasan_slab_free+0x18/0x28 slab_free_freelist_hook+0x204/0x2fc kfree+0xfc/0x3a4 __iommu_probe_device+0x284/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Fix this by setting dev->iommu to NULL first and then freeing dev_iommu structure in dev_iommu_free function.
AI Analysis
Technical Summary
CVE-2022-48796 is a use-after-free vulnerability identified in the Linux kernel's IOMMU (Input-Output Memory Management Unit) subsystem. The flaw occurs during device probing when a device probe fails and the kernel attempts to free the dev->iommu structure in the dev_iommu_free function. Concurrently, a deferred probe work function (deferred_probe_work_func) runs in parallel and attempts to access dev->iommu->fwspec within the of_iommu_configure path. This results in a use-after-free condition because the dev->iommu pointer has already been freed but not yet set to NULL, leading to a dangling pointer dereference. The kernel's KASAN (Kernel Address Sanitizer) tool detected this issue as an invalid read of freed memory. The vulnerability is rooted in a race condition between the freeing of the IOMMU device structure and deferred workqueue processing. The technical call stack traces indicate that the problem arises during the probing and initialization of ARM SMMU (System Memory Management Unit) devices, which are common in ARM-based platforms. The fix involves setting dev->iommu to NULL before freeing the dev_iommu structure to prevent the deferred probe work from accessing freed memory. This vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant to systems using the ARM SMMU driver and IOMMU framework. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with ARM architecture support, especially those utilizing ARM SMMU devices. This includes embedded systems, IoT devices, telecom infrastructure, and certain industrial control systems prevalent in sectors such as manufacturing, telecommunications, and critical infrastructure. Exploitation of this use-after-free vulnerability could lead to kernel crashes (denial of service), potential escalation of privileges, or arbitrary code execution within the kernel context if an attacker can trigger the race condition reliably. This could compromise system integrity and availability, disrupting critical services. Given the widespread use of Linux in servers, cloud environments, and edge devices, organizations relying on ARM-based Linux systems must be vigilant. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are public. The impact is heightened in environments where kernel stability and security are paramount, such as financial institutions, healthcare providers, and government agencies in Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, ensure that the dev->iommu pointer is properly nullified before freeing the dev_iommu structure as per the fix. For systems where immediate patching is not feasible, organizations should: 1) Limit access to systems running vulnerable kernels, especially restricting untrusted user or process access that could trigger device probing; 2) Monitor kernel logs for signs of use-after-free or related kernel warnings; 3) Employ kernel hardening techniques such as enabling KASAN in testing environments to detect similar issues proactively; 4) Use security modules (e.g., SELinux, AppArmor) to restrict device driver loading and probing; 5) For ARM-based embedded devices, coordinate with hardware vendors and Linux distribution maintainers to receive timely patches; 6) Implement network segmentation to isolate vulnerable devices from critical infrastructure; 7) Conduct thorough testing of kernel updates in staging environments before deployment to avoid regressions. These steps go beyond generic advice by focusing on the specific nature of the race condition and the ARM SMMU context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Italy, Spain, Poland
CVE-2022-48796: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: iommu: Fix potential use-after-free during probe Kasan has reported the following use after free on dev->iommu. when a device probe fails and it is in process of freeing dev->iommu in dev_iommu_free function, a deferred_probe_work_func runs in parallel and tries to access dev->iommu->fwspec in of_iommu_configure path thus causing use after free. BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4 Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153 Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x0/0x33c show_stack+0x18/0x24 dump_stack_lvl+0x16c/0x1e0 print_address_description+0x84/0x39c __kasan_report+0x184/0x308 kasan_report+0x50/0x78 __asan_load8+0xc0/0xc4 of_iommu_configure+0xb4/0x4a4 of_dma_configure_id+0x2fc/0x4d4 platform_dma_configure+0x40/0x5c really_probe+0x1b4/0xb74 driver_probe_device+0x11c/0x228 __device_attach_driver+0x14c/0x304 bus_for_each_drv+0x124/0x1b0 __device_attach+0x25c/0x334 device_initial_probe+0x24/0x34 bus_probe_device+0x78/0x134 deferred_probe_work_func+0x130/0x1a8 process_one_work+0x4c8/0x970 worker_thread+0x5c8/0xaec kthread+0x1f8/0x220 ret_from_fork+0x10/0x18 Allocated by task 1: ____kasan_kmalloc+0xd4/0x114 __kasan_kmalloc+0x10/0x1c kmem_cache_alloc_trace+0xe4/0x3d4 __iommu_probe_device+0x90/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Freed by task 1: kasan_set_track+0x4c/0x84 kasan_set_free_info+0x28/0x4c ____kasan_slab_free+0x120/0x15c __kasan_slab_free+0x18/0x28 slab_free_freelist_hook+0x204/0x2fc kfree+0xfc/0x3a4 __iommu_probe_device+0x284/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Fix this by setting dev->iommu to NULL first and then freeing dev_iommu structure in dev_iommu_free function.
AI-Powered Analysis
Technical Analysis
CVE-2022-48796 is a use-after-free vulnerability identified in the Linux kernel's IOMMU (Input-Output Memory Management Unit) subsystem. The flaw occurs during device probing when a device probe fails and the kernel attempts to free the dev->iommu structure in the dev_iommu_free function. Concurrently, a deferred probe work function (deferred_probe_work_func) runs in parallel and attempts to access dev->iommu->fwspec within the of_iommu_configure path. This results in a use-after-free condition because the dev->iommu pointer has already been freed but not yet set to NULL, leading to a dangling pointer dereference. The kernel's KASAN (Kernel Address Sanitizer) tool detected this issue as an invalid read of freed memory. The vulnerability is rooted in a race condition between the freeing of the IOMMU device structure and deferred workqueue processing. The technical call stack traces indicate that the problem arises during the probing and initialization of ARM SMMU (System Memory Management Unit) devices, which are common in ARM-based platforms. The fix involves setting dev->iommu to NULL before freeing the dev_iommu structure to prevent the deferred probe work from accessing freed memory. This vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant to systems using the ARM SMMU driver and IOMMU framework. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with ARM architecture support, especially those utilizing ARM SMMU devices. This includes embedded systems, IoT devices, telecom infrastructure, and certain industrial control systems prevalent in sectors such as manufacturing, telecommunications, and critical infrastructure. Exploitation of this use-after-free vulnerability could lead to kernel crashes (denial of service), potential escalation of privileges, or arbitrary code execution within the kernel context if an attacker can trigger the race condition reliably. This could compromise system integrity and availability, disrupting critical services. Given the widespread use of Linux in servers, cloud environments, and edge devices, organizations relying on ARM-based Linux systems must be vigilant. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are public. The impact is heightened in environments where kernel stability and security are paramount, such as financial institutions, healthcare providers, and government agencies in Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, ensure that the dev->iommu pointer is properly nullified before freeing the dev_iommu structure as per the fix. For systems where immediate patching is not feasible, organizations should: 1) Limit access to systems running vulnerable kernels, especially restricting untrusted user or process access that could trigger device probing; 2) Monitor kernel logs for signs of use-after-free or related kernel warnings; 3) Employ kernel hardening techniques such as enabling KASAN in testing environments to detect similar issues proactively; 4) Use security modules (e.g., SELinux, AppArmor) to restrict device driver loading and probing; 5) For ARM-based embedded devices, coordinate with hardware vendors and Linux distribution maintainers to receive timely patches; 6) Implement network segmentation to isolate vulnerable devices from critical infrastructure; 7) Conduct thorough testing of kernel updates in staging environments before deployment to avoid regressions. These steps go beyond generic advice by focusing on the specific nature of the race condition and the ARM SMMU context.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.895Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aebf77
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 6:11:51 AM
Last updated: 8/6/2025, 10:30:48 PM
Views: 14
Related Threats
CVE-2025-8533: CWE-863 Incorrect Authorization in Flexibits Fantastical
MediumCVE-2025-35970: Use of weak credentials in SEIKO EPSON Multiple EPSON product
HighCVE-2025-29866: CWE-73: External Control of File Name or Path in TAGFREE X-Free Uploader
HighCVE-2025-32094: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Akamai AkamaiGhost
MediumCVE-2025-8583: Inappropriate implementation in Google Chrome
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.