CVE-2022-48817: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: dsa: ar9331: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The ar9331 is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the ar9331 switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The ar9331 driver doesn't have a complex code structure for mdiobus removal, so just replace of_mdiobus_register with the devres variant in order to be all-devres and ensure that we don't free a still-registered bus.
AI Analysis
Technical Summary
CVE-2022-48817 is a vulnerability identified in the Linux kernel, specifically related to the management of the MDIO bus registration and deregistration within the Distributed Switch Architecture (DSA) subsystem. The issue arises from improper handling of the mdiobus resource lifecycle in the ar9331 driver, which is an MDIO device. The vulnerability is rooted in the fact that mdiobus_free() can cause a kernel panic if it is called from devm_mdiobus_free() during device resource release (devres_release_all) when the mdiobus has not been properly unregistered beforehand. This improper resource management leads to a use-after-free or double-free scenario, causing instability or crashes in the kernel. The problem is exacerbated in cases where the DSA master device is on a bus that invokes the ->remove callback during shutdown, such as the dpaa2-eth device on the fsl-mc bus. This creates a device link between the switch and the DSA master, and during shutdown, device_links_unbind_consumers() unbinds the ar9331 switch driver, which can trigger the problematic mdiobus_free() call. The fix involves ensuring consistent use of devres for both mdiobus allocation and registration or avoiding devres entirely, to prevent freeing a still-registered bus. In the ar9331 driver, this was addressed by replacing of_mdiobus_register with the devres variant, ensuring proper resource management and preventing kernel panics. This vulnerability is a kernel stability and reliability issue rather than a direct security exploit, as it does not appear to allow privilege escalation or arbitrary code execution. However, kernel panics can lead to denial of service (DoS) conditions on affected systems.
Potential Impact
For European organizations, the primary impact of CVE-2022-48817 is potential system instability and denial of service on Linux-based systems using affected kernel versions with the ar9331 DSA driver or similar configurations. This is particularly relevant for organizations relying on embedded Linux devices, network infrastructure equipment, or specialized hardware that uses the ar9331 switch or similar MDIO devices. Such devices may be found in telecommunications, industrial control systems, and networking equipment. A kernel panic triggered by this vulnerability could cause unexpected downtime, impacting critical services and operational continuity. While there is no known exploitation in the wild and no direct data breach risk, the disruption caused by kernel crashes can affect availability and reliability of services, which is critical for sectors like finance, healthcare, and public infrastructure in Europe. Additionally, the complexity of the issue means that some organizations may face challenges in identifying and patching affected systems promptly, increasing the window of exposure.
Mitigation Recommendations
To mitigate CVE-2022-48817, European organizations should: 1) Identify Linux systems running kernel versions that include the vulnerable ar9331 DSA driver or similar MDIO device drivers. This includes embedded devices and network appliances. 2) Apply the official Linux kernel patches that replace of_mdiobus_register with the devres variant or equivalent fixes ensuring proper mdiobus resource management. Since no patch links were provided, organizations should monitor the official Linux kernel mailing lists, vendor advisories, and distributions for updated kernel releases addressing this issue. 3) For devices where kernel updates are not immediately feasible, consider implementing controlled shutdown procedures to avoid triggering the problematic device removal sequences, if possible. 4) Monitor system logs for kernel panics or unusual device removal errors related to MDIO or DSA subsystems to detect potential exploitation or instability. 5) Engage with hardware vendors and Linux distribution maintainers to confirm the presence of fixes and coordinate timely updates. 6) Incorporate this vulnerability into vulnerability management and patching workflows, prioritizing devices critical to network infrastructure and industrial control. 7) Test patches in staging environments to ensure stability and compatibility before deployment in production.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Finland, Belgium
CVE-2022-48817: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: dsa: ar9331: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The ar9331 is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the ar9331 switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The ar9331 driver doesn't have a complex code structure for mdiobus removal, so just replace of_mdiobus_register with the devres variant in order to be all-devres and ensure that we don't free a still-registered bus.
AI-Powered Analysis
Technical Analysis
CVE-2022-48817 is a vulnerability identified in the Linux kernel, specifically related to the management of the MDIO bus registration and deregistration within the Distributed Switch Architecture (DSA) subsystem. The issue arises from improper handling of the mdiobus resource lifecycle in the ar9331 driver, which is an MDIO device. The vulnerability is rooted in the fact that mdiobus_free() can cause a kernel panic if it is called from devm_mdiobus_free() during device resource release (devres_release_all) when the mdiobus has not been properly unregistered beforehand. This improper resource management leads to a use-after-free or double-free scenario, causing instability or crashes in the kernel. The problem is exacerbated in cases where the DSA master device is on a bus that invokes the ->remove callback during shutdown, such as the dpaa2-eth device on the fsl-mc bus. This creates a device link between the switch and the DSA master, and during shutdown, device_links_unbind_consumers() unbinds the ar9331 switch driver, which can trigger the problematic mdiobus_free() call. The fix involves ensuring consistent use of devres for both mdiobus allocation and registration or avoiding devres entirely, to prevent freeing a still-registered bus. In the ar9331 driver, this was addressed by replacing of_mdiobus_register with the devres variant, ensuring proper resource management and preventing kernel panics. This vulnerability is a kernel stability and reliability issue rather than a direct security exploit, as it does not appear to allow privilege escalation or arbitrary code execution. However, kernel panics can lead to denial of service (DoS) conditions on affected systems.
Potential Impact
For European organizations, the primary impact of CVE-2022-48817 is potential system instability and denial of service on Linux-based systems using affected kernel versions with the ar9331 DSA driver or similar configurations. This is particularly relevant for organizations relying on embedded Linux devices, network infrastructure equipment, or specialized hardware that uses the ar9331 switch or similar MDIO devices. Such devices may be found in telecommunications, industrial control systems, and networking equipment. A kernel panic triggered by this vulnerability could cause unexpected downtime, impacting critical services and operational continuity. While there is no known exploitation in the wild and no direct data breach risk, the disruption caused by kernel crashes can affect availability and reliability of services, which is critical for sectors like finance, healthcare, and public infrastructure in Europe. Additionally, the complexity of the issue means that some organizations may face challenges in identifying and patching affected systems promptly, increasing the window of exposure.
Mitigation Recommendations
To mitigate CVE-2022-48817, European organizations should: 1) Identify Linux systems running kernel versions that include the vulnerable ar9331 DSA driver or similar MDIO device drivers. This includes embedded devices and network appliances. 2) Apply the official Linux kernel patches that replace of_mdiobus_register with the devres variant or equivalent fixes ensuring proper mdiobus resource management. Since no patch links were provided, organizations should monitor the official Linux kernel mailing lists, vendor advisories, and distributions for updated kernel releases addressing this issue. 3) For devices where kernel updates are not immediately feasible, consider implementing controlled shutdown procedures to avoid triggering the problematic device removal sequences, if possible. 4) Monitor system logs for kernel panics or unusual device removal errors related to MDIO or DSA subsystems to detect potential exploitation or instability. 5) Engage with hardware vendors and Linux distribution maintainers to confirm the presence of fixes and coordinate timely updates. 6) Incorporate this vulnerability into vulnerability management and patching workflows, prioritizing devices critical to network infrastructure and industrial control. 7) Test patches in staging environments to ensure stability and compatibility before deployment in production.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.900Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe6270
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 10:10:46 PM
Last updated: 7/30/2025, 7:09:10 AM
Views: 23
Related Threats
CVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-54992: CWE-611: Improper Restriction of XML External Entity Reference in telstra open-kilda
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.