CVE-2022-48840: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: iavf: Fix hang during reboot/shutdown Recent commit 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") adds a wait-loop at the beginning of iavf_remove() to ensure that port initialization is finished prior unregistering net device. This causes a regression in reboot/shutdown scenario because in this case callback iavf_shutdown() is called and this callback detaches the device, makes it down if it is running and sets its state to __IAVF_REMOVE. Later shutdown callback of associated PF driver (e.g. ice_shutdown) is called. That callback calls among other things sriov_disable() that calls indirectly iavf_remove() (see stack trace below). As the adapter state is already __IAVF_REMOVE then the mentioned loop is end-less and shutdown process hangs. The patch fixes this by checking adapter's state at the beginning of iavf_remove() and skips the rest of the function if the adapter is already in remove state (shutdown is in progress). Reproducer: 1. Create VF on PF driven by ice or i40e driver 2. Ensure that the VF is bound to iavf driver 3. Reboot [52625.981294] sysrq: SysRq : Show Blocked State [52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2 [52625.996732] Call Trace: [52625.999187] __schedule+0x2d1/0x830 [52626.007400] schedule+0x35/0xa0 [52626.010545] schedule_hrtimeout_range_clock+0x83/0x100 [52626.020046] usleep_range+0x5b/0x80 [52626.023540] iavf_remove+0x63/0x5b0 [iavf] [52626.027645] pci_device_remove+0x3b/0xc0 [52626.031572] device_release_driver_internal+0x103/0x1f0 [52626.036805] pci_stop_bus_device+0x72/0xa0 [52626.040904] pci_stop_and_remove_bus_device+0xe/0x20 [52626.045870] pci_iov_remove_virtfn+0xba/0x120 [52626.050232] sriov_disable+0x2f/0xe0 [52626.053813] ice_free_vfs+0x7c/0x340 [ice] [52626.057946] ice_remove+0x220/0x240 [ice] [52626.061967] ice_shutdown+0x16/0x50 [ice] [52626.065987] pci_device_shutdown+0x34/0x60 [52626.070086] device_shutdown+0x165/0x1c5 [52626.074011] kernel_restart+0xe/0x30 [52626.077593] __do_sys_reboot+0x1d2/0x210 [52626.093815] do_syscall_64+0x5b/0x1a0 [52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca
AI Analysis
Technical Summary
CVE-2022-48840 is a vulnerability in the Linux kernel affecting the iavf network driver, which is used for Intel Ethernet Virtual Function (VF) devices. The issue arises from a recent code change that introduced a wait-loop in the iavf_remove() function to ensure port initialization completes before unregistering the network device. However, this change causes a regression during system reboot or shutdown. Specifically, the iavf_shutdown() callback detaches the device and sets its state to __IAVF_REMOVE. Subsequently, the shutdown callback of the associated Physical Function (PF) driver (such as ice_shutdown) calls sriov_disable(), which indirectly calls iavf_remove(). Because the adapter state is already __IAVF_REMOVE, the wait-loop in iavf_remove() becomes infinite, causing the shutdown or reboot process to hang indefinitely. The vulnerability is triggered when a VF is created on a PF driven by the ice or i40e driver, the VF is bound to the iavf driver, and the system is rebooted. This leads to a blocked shutdown sequence, as demonstrated by kernel stack traces showing the system stuck in the wait-loop. The root cause is a missing state check at the start of iavf_remove() to skip processing if the adapter is already in the remove state. The patch fixes this by adding this state check, preventing the infinite loop during shutdown. This vulnerability affects specific Linux kernel versions containing the problematic commits and impacts systems using Intel Ethernet VF devices with the iavf driver in conjunction with PF drivers like ice or i40e. While no known exploits are reported in the wild, the issue can cause denial of service by hanging system reboot or shutdown operations.
Potential Impact
For European organizations, this vulnerability can have significant operational impacts, especially in data centers, cloud providers, and enterprises relying on Linux servers with Intel Ethernet VF devices for virtualization and network performance. A hung shutdown or reboot can delay critical maintenance, patching, or recovery operations, potentially leading to extended downtime. This is particularly problematic for environments requiring high availability or rapid failover. Additionally, automated orchestration systems that rely on clean shutdowns may fail, causing cascading service disruptions. Although this vulnerability does not directly lead to data breaches or privilege escalation, the denial of service effect can impact business continuity and service level agreements (SLAs). Organizations using virtualized network functions or NFV infrastructure with affected drivers are at higher risk. The issue is less likely to be exploited remotely but can be triggered by local administrative actions or automated reboot sequences, making insider threat or misconfiguration scenarios relevant.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions that include the patch fixing CVE-2022-48840. Specifically, ensure that kernel versions incorporate the fix that adds the adapter state check in iavf_remove(). For environments where immediate patching is not feasible, consider the following mitigations: avoid creating VFs bound to the iavf driver on PFs managed by ice or i40e drivers, or disable SR-IOV features temporarily to prevent triggering the shutdown hang. Additionally, implement monitoring to detect hung shutdown or reboot processes and establish manual recovery procedures to handle such scenarios. Testing shutdown and reboot sequences in staging environments before production deployment can help identify if systems are affected. Coordination with hardware and OS vendors to confirm driver versions and patches is recommended. Finally, maintain strict change management and limit administrative access to reduce accidental triggering of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain
CVE-2022-48840: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: iavf: Fix hang during reboot/shutdown Recent commit 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") adds a wait-loop at the beginning of iavf_remove() to ensure that port initialization is finished prior unregistering net device. This causes a regression in reboot/shutdown scenario because in this case callback iavf_shutdown() is called and this callback detaches the device, makes it down if it is running and sets its state to __IAVF_REMOVE. Later shutdown callback of associated PF driver (e.g. ice_shutdown) is called. That callback calls among other things sriov_disable() that calls indirectly iavf_remove() (see stack trace below). As the adapter state is already __IAVF_REMOVE then the mentioned loop is end-less and shutdown process hangs. The patch fixes this by checking adapter's state at the beginning of iavf_remove() and skips the rest of the function if the adapter is already in remove state (shutdown is in progress). Reproducer: 1. Create VF on PF driven by ice or i40e driver 2. Ensure that the VF is bound to iavf driver 3. Reboot [52625.981294] sysrq: SysRq : Show Blocked State [52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2 [52625.996732] Call Trace: [52625.999187] __schedule+0x2d1/0x830 [52626.007400] schedule+0x35/0xa0 [52626.010545] schedule_hrtimeout_range_clock+0x83/0x100 [52626.020046] usleep_range+0x5b/0x80 [52626.023540] iavf_remove+0x63/0x5b0 [iavf] [52626.027645] pci_device_remove+0x3b/0xc0 [52626.031572] device_release_driver_internal+0x103/0x1f0 [52626.036805] pci_stop_bus_device+0x72/0xa0 [52626.040904] pci_stop_and_remove_bus_device+0xe/0x20 [52626.045870] pci_iov_remove_virtfn+0xba/0x120 [52626.050232] sriov_disable+0x2f/0xe0 [52626.053813] ice_free_vfs+0x7c/0x340 [ice] [52626.057946] ice_remove+0x220/0x240 [ice] [52626.061967] ice_shutdown+0x16/0x50 [ice] [52626.065987] pci_device_shutdown+0x34/0x60 [52626.070086] device_shutdown+0x165/0x1c5 [52626.074011] kernel_restart+0xe/0x30 [52626.077593] __do_sys_reboot+0x1d2/0x210 [52626.093815] do_syscall_64+0x5b/0x1a0 [52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca
AI-Powered Analysis
Technical Analysis
CVE-2022-48840 is a vulnerability in the Linux kernel affecting the iavf network driver, which is used for Intel Ethernet Virtual Function (VF) devices. The issue arises from a recent code change that introduced a wait-loop in the iavf_remove() function to ensure port initialization completes before unregistering the network device. However, this change causes a regression during system reboot or shutdown. Specifically, the iavf_shutdown() callback detaches the device and sets its state to __IAVF_REMOVE. Subsequently, the shutdown callback of the associated Physical Function (PF) driver (such as ice_shutdown) calls sriov_disable(), which indirectly calls iavf_remove(). Because the adapter state is already __IAVF_REMOVE, the wait-loop in iavf_remove() becomes infinite, causing the shutdown or reboot process to hang indefinitely. The vulnerability is triggered when a VF is created on a PF driven by the ice or i40e driver, the VF is bound to the iavf driver, and the system is rebooted. This leads to a blocked shutdown sequence, as demonstrated by kernel stack traces showing the system stuck in the wait-loop. The root cause is a missing state check at the start of iavf_remove() to skip processing if the adapter is already in the remove state. The patch fixes this by adding this state check, preventing the infinite loop during shutdown. This vulnerability affects specific Linux kernel versions containing the problematic commits and impacts systems using Intel Ethernet VF devices with the iavf driver in conjunction with PF drivers like ice or i40e. While no known exploits are reported in the wild, the issue can cause denial of service by hanging system reboot or shutdown operations.
Potential Impact
For European organizations, this vulnerability can have significant operational impacts, especially in data centers, cloud providers, and enterprises relying on Linux servers with Intel Ethernet VF devices for virtualization and network performance. A hung shutdown or reboot can delay critical maintenance, patching, or recovery operations, potentially leading to extended downtime. This is particularly problematic for environments requiring high availability or rapid failover. Additionally, automated orchestration systems that rely on clean shutdowns may fail, causing cascading service disruptions. Although this vulnerability does not directly lead to data breaches or privilege escalation, the denial of service effect can impact business continuity and service level agreements (SLAs). Organizations using virtualized network functions or NFV infrastructure with affected drivers are at higher risk. The issue is less likely to be exploited remotely but can be triggered by local administrative actions or automated reboot sequences, making insider threat or misconfiguration scenarios relevant.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions that include the patch fixing CVE-2022-48840. Specifically, ensure that kernel versions incorporate the fix that adds the adapter state check in iavf_remove(). For environments where immediate patching is not feasible, consider the following mitigations: avoid creating VFs bound to the iavf driver on PFs managed by ice or i40e drivers, or disable SR-IOV features temporarily to prevent triggering the shutdown hang. Additionally, implement monitoring to detect hung shutdown or reboot processes and establish manual recovery procedures to handle such scenarios. Testing shutdown and reboot sequences in staging environments before production deployment can help identify if systems are affected. Coordination with hardware and OS vendors to confirm driver versions and patches is recommended. Finally, maintain strict change management and limit administrative access to reduce accidental triggering of the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.909Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe6335
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 10:39:52 PM
Last updated: 8/17/2025, 6:39:02 PM
Views: 14
Related Threats
CVE-2025-9132: Out of bounds write in Google Chrome
UnknownCVE-2025-9193: Open Redirect in TOTVS Portal Meu RH
MediumCVE-2025-9176: OS Command Injection in neurobin shc
MediumCVE-2025-9175: Stack-based Buffer Overflow in neurobin shc
MediumCVE-2025-9174: OS Command Injection in neurobin shc
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.