CVE-2022-48847: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: watch_queue: Fix filter limit check In watch_queue_set_filter(), there are a couple of places where we check that the filter type value does not exceed what the type_filter bitmap can hold. One place calculates the number of bits by: if (tf[i].type >= sizeof(wfilter->type_filter) * 8) which is fine, but the second does: if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG) which is not. This can lead to a couple of out-of-bounds writes due to a too-large type: (1) __set_bit() on wfilter->type_filter (2) Writing more elements in wfilter->filters[] than we allocated. Fix this by just using the proper WATCH_TYPE__NR instead, which is the number of types we actually know about. The bug may cause an oops looking something like: BUG: KASAN: slab-out-of-bounds in watch_queue_set_filter+0x659/0x740 Write of size 4 at addr ffff88800d2c66bc by task watch_queue_oob/611 ... Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 ... kasan_report.cold+0x7f/0x11b ... watch_queue_set_filter+0x659/0x740 ... __x64_sys_ioctl+0x127/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 611: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 watch_queue_set_filter+0x23a/0x740 __x64_sys_ioctl+0x127/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88800d2c66a0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 28 bytes inside of 32-byte region [ffff88800d2c66a0, ffff88800d2c66c0)
AI Analysis
Technical Summary
CVE-2022-48847 is a vulnerability identified in the Linux kernel's watch_queue subsystem, specifically within the watch_queue_set_filter() function. The issue arises from improper boundary checks on the filter type values. The function attempts to verify that the filter type does not exceed the capacity of the type_filter bitmap. However, inconsistent calculations are used: one check correctly compares the filter type against the size of the bitmap in bits, while another incorrectly uses the size multiplied by BITS_PER_LONG, leading to an out-of-bounds condition. This discrepancy allows an attacker to supply a filter type value that exceeds the allocated bitmap size, resulting in out-of-bounds writes. These writes can corrupt adjacent memory structures, specifically by setting bits beyond the allocated bitmap and writing more elements into the filters array than allocated. The consequence is a potential kernel memory corruption, which can trigger a kernel oops or crash, as evidenced by the KASAN (Kernel Address Sanitizer) slab-out-of-bounds error logs. The vulnerability affects certain Linux kernel versions identified by specific commit hashes, and the root cause is a logic error in boundary checking rather than a missing check. No known exploits are currently reported in the wild. The vulnerability was publicly disclosed on July 16, 2024, and a fix involves replacing the faulty boundary check with a proper constant WATCH_TYPE__NR, representing the number of valid filter types. This correction prevents out-of-bounds memory writes by ensuring filter types are strictly validated against known limits.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, which are widely used in servers, cloud infrastructure, and embedded devices. Exploitation could lead to kernel crashes (denial of service) or potentially memory corruption that might be leveraged for privilege escalation or arbitrary code execution, depending on the attacker's capabilities and system configuration. Critical infrastructure, financial institutions, and cloud service providers in Europe relying on Linux-based systems could experience service disruptions or compromise of system integrity. Given the kernel-level nature of the flaw, successful exploitation could undermine system confidentiality, integrity, and availability. Although no active exploits are known, the vulnerability's presence in widely deployed Linux kernels means that unpatched systems remain at risk, especially in environments where attackers have local access or can induce ioctl calls to the watch_queue subsystem. The impact is heightened in multi-tenant cloud environments common in Europe, where kernel vulnerabilities can affect multiple customers on shared hardware.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched, ensuring the watch_queue_set_filter() function uses the corrected boundary checks. System administrators should: 1) Identify all Linux systems running affected kernel versions by matching commit hashes or kernel versions against vendor advisories. 2) Apply vendor-supplied kernel updates or patches promptly. 3) For systems where immediate patching is not feasible, consider restricting access to ioctl interfaces related to watch_queue to trusted users only, minimizing the risk of local exploitation. 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other memory protection mechanisms to detect and prevent out-of-bounds memory accesses. 5) Monitor system logs for kernel oops or KASAN alerts that may indicate attempted exploitation. 6) In cloud or containerized environments, ensure kernel versions are up to date and consider isolating workloads to limit the impact of potential kernel crashes. 7) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patches and related threats.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2022-48847: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: watch_queue: Fix filter limit check In watch_queue_set_filter(), there are a couple of places where we check that the filter type value does not exceed what the type_filter bitmap can hold. One place calculates the number of bits by: if (tf[i].type >= sizeof(wfilter->type_filter) * 8) which is fine, but the second does: if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG) which is not. This can lead to a couple of out-of-bounds writes due to a too-large type: (1) __set_bit() on wfilter->type_filter (2) Writing more elements in wfilter->filters[] than we allocated. Fix this by just using the proper WATCH_TYPE__NR instead, which is the number of types we actually know about. The bug may cause an oops looking something like: BUG: KASAN: slab-out-of-bounds in watch_queue_set_filter+0x659/0x740 Write of size 4 at addr ffff88800d2c66bc by task watch_queue_oob/611 ... Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 ... kasan_report.cold+0x7f/0x11b ... watch_queue_set_filter+0x659/0x740 ... __x64_sys_ioctl+0x127/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 611: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 watch_queue_set_filter+0x23a/0x740 __x64_sys_ioctl+0x127/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88800d2c66a0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 28 bytes inside of 32-byte region [ffff88800d2c66a0, ffff88800d2c66c0)
AI-Powered Analysis
Technical Analysis
CVE-2022-48847 is a vulnerability identified in the Linux kernel's watch_queue subsystem, specifically within the watch_queue_set_filter() function. The issue arises from improper boundary checks on the filter type values. The function attempts to verify that the filter type does not exceed the capacity of the type_filter bitmap. However, inconsistent calculations are used: one check correctly compares the filter type against the size of the bitmap in bits, while another incorrectly uses the size multiplied by BITS_PER_LONG, leading to an out-of-bounds condition. This discrepancy allows an attacker to supply a filter type value that exceeds the allocated bitmap size, resulting in out-of-bounds writes. These writes can corrupt adjacent memory structures, specifically by setting bits beyond the allocated bitmap and writing more elements into the filters array than allocated. The consequence is a potential kernel memory corruption, which can trigger a kernel oops or crash, as evidenced by the KASAN (Kernel Address Sanitizer) slab-out-of-bounds error logs. The vulnerability affects certain Linux kernel versions identified by specific commit hashes, and the root cause is a logic error in boundary checking rather than a missing check. No known exploits are currently reported in the wild. The vulnerability was publicly disclosed on July 16, 2024, and a fix involves replacing the faulty boundary check with a proper constant WATCH_TYPE__NR, representing the number of valid filter types. This correction prevents out-of-bounds memory writes by ensuring filter types are strictly validated against known limits.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, which are widely used in servers, cloud infrastructure, and embedded devices. Exploitation could lead to kernel crashes (denial of service) or potentially memory corruption that might be leveraged for privilege escalation or arbitrary code execution, depending on the attacker's capabilities and system configuration. Critical infrastructure, financial institutions, and cloud service providers in Europe relying on Linux-based systems could experience service disruptions or compromise of system integrity. Given the kernel-level nature of the flaw, successful exploitation could undermine system confidentiality, integrity, and availability. Although no active exploits are known, the vulnerability's presence in widely deployed Linux kernels means that unpatched systems remain at risk, especially in environments where attackers have local access or can induce ioctl calls to the watch_queue subsystem. The impact is heightened in multi-tenant cloud environments common in Europe, where kernel vulnerabilities can affect multiple customers on shared hardware.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched, ensuring the watch_queue_set_filter() function uses the corrected boundary checks. System administrators should: 1) Identify all Linux systems running affected kernel versions by matching commit hashes or kernel versions against vendor advisories. 2) Apply vendor-supplied kernel updates or patches promptly. 3) For systems where immediate patching is not feasible, consider restricting access to ioctl interfaces related to watch_queue to trusted users only, minimizing the risk of local exploitation. 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other memory protection mechanisms to detect and prevent out-of-bounds memory accesses. 5) Monitor system logs for kernel oops or KASAN alerts that may indicate attempted exploitation. 6) In cloud or containerized environments, ensure kernel versions are up to date and consider isolating workloads to limit the impact of potential kernel crashes. 7) Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patches and related threats.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.911Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe6375
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 10:41:22 PM
Last updated: 8/13/2025, 7:09:23 PM
Views: 16
Related Threats
CVE-2025-7353: CWE-1188: Initialization of a Resource with an Insecure Default in Rockwell Automation 1756-EN2T/D
CriticalCVE-2025-55675: CWE-285 Improper Authorization in Apache Software Foundation Apache Superset
MediumCVE-2025-55674: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Apache Software Foundation Apache Superset
MediumCVE-2025-55673: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Superset
MediumCVE-2025-55672: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Apache Software Foundation Apache Superset
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.