CVE-2022-48830: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix potential CAN frame reception race in isotp_rcv() When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage. Ziyang Xuan writes: The following syz problem is one of the scenarios. so->rx.len is changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals 0 before alloc_skb() and equals 4096 after alloc_skb(). That will trigger skb_over_panic() in skb_put(). ======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spin_lock in isotp_rcv(). This fixes the issue reported by syzkaller but does not affect real world operation.
AI Analysis
Technical Summary
CVE-2022-48830 is a vulnerability identified in the Linux kernel's CAN (Controller Area Network) ISO-TP (ISO 15765-2 Transport Protocol) implementation, specifically within the isotp_rcv() function responsible for receiving CAN frames. The issue arises due to a race condition during concurrent reception of CAN frames by multiple processes. The vulnerability was discovered through syzkaller fuzz testing, which revealed that the length field (so->rx.len) of the receive buffer can be modified concurrently by isotp_rcv_ff() while isotp_rcv_cf() is still processing, leading to inconsistent state. This inconsistency can cause a buffer overflow panic triggered by skb_over_panic() in skb_put(), which is part of the Linux kernel's socket buffer (skb) management. The root cause is the lack of synchronization when multiple processes receive CAN frames simultaneously, which is not common in real-world usage but possible under certain conditions. The fix involves adding a spin_lock in isotp_rcv() to ensure that state changes and data structures remain consistent during CAN frame reception, preventing race conditions and potential kernel panics. This patch does not affect normal operation but secures the kernel against this concurrency issue.
Potential Impact
For European organizations, especially those involved in automotive manufacturing, industrial automation, and embedded systems relying on Linux-based CAN communication stacks, this vulnerability could lead to system instability or denial of service due to kernel panics. While exploitation in the wild is not known, the vulnerability could be triggered by crafted CAN frames in environments where multiple processes handle CAN traffic concurrently, potentially disrupting critical systems. This could affect manufacturing plants, automotive testing facilities, or any infrastructure using Linux-based CAN interfaces. The impact on confidentiality and integrity is low since the vulnerability primarily causes a denial of service via kernel panic rather than unauthorized data access or modification. However, availability impact can be significant in safety-critical or real-time systems. European organizations using Linux kernels with affected versions in embedded or industrial devices should be aware of this risk to maintain operational continuity.
Mitigation Recommendations
Organizations should promptly apply the Linux kernel patch that introduces spin_lock synchronization in the isotp_rcv() function to prevent race conditions during CAN frame reception. Beyond patching, it is advisable to audit and limit concurrent CAN frame reception processes where possible to reduce exposure. Implement strict access controls on CAN interfaces to prevent unauthorized or malicious injection of CAN frames. For embedded and industrial systems, ensure secure firmware update mechanisms to deploy kernel patches efficiently. Additionally, monitor kernel logs for signs of skb_over_panic or related kernel panics that could indicate attempted exploitation or triggering of this vulnerability. Testing in controlled environments before deployment is recommended to verify stability post-patch. Finally, maintain updated inventories of Linux kernel versions in use across devices to identify and remediate vulnerable systems.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Netherlands, Sweden, Belgium
CVE-2022-48830: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix potential CAN frame reception race in isotp_rcv() When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage. Ziyang Xuan writes: The following syz problem is one of the scenarios. so->rx.len is changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals 0 before alloc_skb() and equals 4096 after alloc_skb(). That will trigger skb_over_panic() in skb_put(). ======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spin_lock in isotp_rcv(). This fixes the issue reported by syzkaller but does not affect real world operation.
AI-Powered Analysis
Technical Analysis
CVE-2022-48830 is a vulnerability identified in the Linux kernel's CAN (Controller Area Network) ISO-TP (ISO 15765-2 Transport Protocol) implementation, specifically within the isotp_rcv() function responsible for receiving CAN frames. The issue arises due to a race condition during concurrent reception of CAN frames by multiple processes. The vulnerability was discovered through syzkaller fuzz testing, which revealed that the length field (so->rx.len) of the receive buffer can be modified concurrently by isotp_rcv_ff() while isotp_rcv_cf() is still processing, leading to inconsistent state. This inconsistency can cause a buffer overflow panic triggered by skb_over_panic() in skb_put(), which is part of the Linux kernel's socket buffer (skb) management. The root cause is the lack of synchronization when multiple processes receive CAN frames simultaneously, which is not common in real-world usage but possible under certain conditions. The fix involves adding a spin_lock in isotp_rcv() to ensure that state changes and data structures remain consistent during CAN frame reception, preventing race conditions and potential kernel panics. This patch does not affect normal operation but secures the kernel against this concurrency issue.
Potential Impact
For European organizations, especially those involved in automotive manufacturing, industrial automation, and embedded systems relying on Linux-based CAN communication stacks, this vulnerability could lead to system instability or denial of service due to kernel panics. While exploitation in the wild is not known, the vulnerability could be triggered by crafted CAN frames in environments where multiple processes handle CAN traffic concurrently, potentially disrupting critical systems. This could affect manufacturing plants, automotive testing facilities, or any infrastructure using Linux-based CAN interfaces. The impact on confidentiality and integrity is low since the vulnerability primarily causes a denial of service via kernel panic rather than unauthorized data access or modification. However, availability impact can be significant in safety-critical or real-time systems. European organizations using Linux kernels with affected versions in embedded or industrial devices should be aware of this risk to maintain operational continuity.
Mitigation Recommendations
Organizations should promptly apply the Linux kernel patch that introduces spin_lock synchronization in the isotp_rcv() function to prevent race conditions during CAN frame reception. Beyond patching, it is advisable to audit and limit concurrent CAN frame reception processes where possible to reduce exposure. Implement strict access controls on CAN interfaces to prevent unauthorized or malicious injection of CAN frames. For embedded and industrial systems, ensure secure firmware update mechanisms to deploy kernel patches efficiently. Additionally, monitor kernel logs for signs of skb_over_panic or related kernel panics that could indicate attempted exploitation or triggering of this vulnerability. Testing in controlled environments before deployment is recommended to verify stability post-patch. Finally, maintain updated inventories of Linux kernel versions in use across devices to identify and remediate vulnerable systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.904Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe62e8
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 10:26:24 PM
Last updated: 8/17/2025, 8:34:26 PM
Views: 18
Related Threats
CVE-2025-9108: Improper Restriction of Rendered UI Layers in Portabilis i-Diario
MediumCVE-2025-9107: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9106: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9105: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9104: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.