CVE-2022-48848: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Do not unregister events twice Nicolas reported that using: # trace-cmd record -e all -M 10 -p osnoise --poll Resulted in the following kernel warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 at kernel/tracepoint.c:404 tracepoint_probe_unregister+0x280/0x370 [...] CPU: 0 PID: 1217 Comm: trace-cmd Not tainted 5.17.0-rc6-next-20220307-nico+ #19 RIP: 0010:tracepoint_probe_unregister+0x280/0x370 [...] CR2: 00007ff919b29497 CR3: 0000000109da4005 CR4: 0000000000170ef0 Call Trace: <TASK> osnoise_workload_stop+0x36/0x90 tracing_set_tracer+0x108/0x260 tracing_set_trace_write+0x94/0xd0 ? __check_object_size.part.0+0x10a/0x150 ? selinux_file_permission+0x104/0x150 vfs_write+0xb5/0x290 ksys_write+0x5f/0xe0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7ff919a18127 [...] ---[ end trace 0000000000000000 ]--- The warning complains about an attempt to unregister an unregistered tracepoint. This happens on trace-cmd because it first stops tracing, and then switches the tracer to nop. Which is equivalent to: # cd /sys/kernel/tracing/ # echo osnoise > current_tracer # echo 0 > tracing_on # echo nop > current_tracer The osnoise tracer stops the workload when no trace instance is actually collecting data. This can be caused both by disabling tracing or disabling the tracer itself. To avoid unregistering events twice, use the existing trace_osnoise_callback_enabled variable to check if the events (and the workload) are actually active before trying to deactivate them.
AI Analysis
Technical Summary
CVE-2022-48848 is a vulnerability identified in the Linux kernel's tracing subsystem, specifically within the osnoise tracer component. The issue arises from an improper handling of tracepoint unregistration, where the kernel attempts to unregister tracepoint events twice. This double unregistration leads to kernel warnings and potentially unstable kernel behavior. The vulnerability was reported when using the trace-cmd tool with the osnoise tracer, which caused a kernel warning related to tracepoint_probe_unregister. The root cause is that the osnoise tracer stops its workload when no trace instance is actively collecting data, such as when tracing is disabled or the tracer is switched off. However, the code did not properly check if the events were already unregistered before attempting to unregister them again. The fix involves using the existing trace_osnoise_callback_enabled variable to verify whether the events and workload are active before deactivating them, preventing the double unregistration. This vulnerability affects Linux kernel versions around 5.17.0-rc6-next-20220307-nico+ and potentially others with similar tracing implementations. While the vulnerability triggers kernel warnings, it does not appear to directly allow code execution or privilege escalation, and no known exploits are reported in the wild as of the publication date. The issue is primarily a stability and reliability concern within the kernel tracing infrastructure.
Potential Impact
For European organizations relying on Linux-based systems, especially those using kernel tracing tools like trace-cmd for performance monitoring or debugging, this vulnerability could lead to kernel instability or unexpected warnings. While it does not directly compromise confidentiality or integrity, the resulting kernel warnings and potential instability could disrupt critical services, particularly in environments where kernel tracing is actively used for diagnostics or performance tuning. Systems running customized or development kernel versions with the affected tracing code are more susceptible. Disruptions in kernel tracing might delay incident response or system diagnostics, indirectly impacting operational continuity. However, since no known exploits exist and the vulnerability requires specific tracing operations, the immediate risk to most production systems is limited. Nonetheless, organizations with high-dependability Linux systems, such as cloud providers, telecommunications infrastructure, or industrial control systems, should consider the impact on system reliability and monitoring capabilities.
Mitigation Recommendations
To mitigate this vulnerability, organizations should apply the official Linux kernel patches that address the double unregistration issue in the osnoise tracer. If using trace-cmd or similar tracing tools, ensure they are updated to versions compatible with the patched kernel. Avoid running tracing commands that trigger the vulnerability until patches are applied. For environments where kernel tracing is critical, implement monitoring to detect kernel warnings related to tracepoint unregistration. Additionally, consider restricting tracing operations to trusted administrators to reduce accidental triggering. For custom or embedded Linux distributions, coordinate with vendors or maintainers to integrate the fix promptly. Testing kernel updates in staging environments before production deployment is recommended to verify stability. Finally, maintain regular kernel updates as part of the security hygiene to prevent exposure to known kernel vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48848: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Do not unregister events twice Nicolas reported that using: # trace-cmd record -e all -M 10 -p osnoise --poll Resulted in the following kernel warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 at kernel/tracepoint.c:404 tracepoint_probe_unregister+0x280/0x370 [...] CPU: 0 PID: 1217 Comm: trace-cmd Not tainted 5.17.0-rc6-next-20220307-nico+ #19 RIP: 0010:tracepoint_probe_unregister+0x280/0x370 [...] CR2: 00007ff919b29497 CR3: 0000000109da4005 CR4: 0000000000170ef0 Call Trace: <TASK> osnoise_workload_stop+0x36/0x90 tracing_set_tracer+0x108/0x260 tracing_set_trace_write+0x94/0xd0 ? __check_object_size.part.0+0x10a/0x150 ? selinux_file_permission+0x104/0x150 vfs_write+0xb5/0x290 ksys_write+0x5f/0xe0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7ff919a18127 [...] ---[ end trace 0000000000000000 ]--- The warning complains about an attempt to unregister an unregistered tracepoint. This happens on trace-cmd because it first stops tracing, and then switches the tracer to nop. Which is equivalent to: # cd /sys/kernel/tracing/ # echo osnoise > current_tracer # echo 0 > tracing_on # echo nop > current_tracer The osnoise tracer stops the workload when no trace instance is actually collecting data. This can be caused both by disabling tracing or disabling the tracer itself. To avoid unregistering events twice, use the existing trace_osnoise_callback_enabled variable to check if the events (and the workload) are actually active before trying to deactivate them.
AI-Powered Analysis
Technical Analysis
CVE-2022-48848 is a vulnerability identified in the Linux kernel's tracing subsystem, specifically within the osnoise tracer component. The issue arises from an improper handling of tracepoint unregistration, where the kernel attempts to unregister tracepoint events twice. This double unregistration leads to kernel warnings and potentially unstable kernel behavior. The vulnerability was reported when using the trace-cmd tool with the osnoise tracer, which caused a kernel warning related to tracepoint_probe_unregister. The root cause is that the osnoise tracer stops its workload when no trace instance is actively collecting data, such as when tracing is disabled or the tracer is switched off. However, the code did not properly check if the events were already unregistered before attempting to unregister them again. The fix involves using the existing trace_osnoise_callback_enabled variable to verify whether the events and workload are active before deactivating them, preventing the double unregistration. This vulnerability affects Linux kernel versions around 5.17.0-rc6-next-20220307-nico+ and potentially others with similar tracing implementations. While the vulnerability triggers kernel warnings, it does not appear to directly allow code execution or privilege escalation, and no known exploits are reported in the wild as of the publication date. The issue is primarily a stability and reliability concern within the kernel tracing infrastructure.
Potential Impact
For European organizations relying on Linux-based systems, especially those using kernel tracing tools like trace-cmd for performance monitoring or debugging, this vulnerability could lead to kernel instability or unexpected warnings. While it does not directly compromise confidentiality or integrity, the resulting kernel warnings and potential instability could disrupt critical services, particularly in environments where kernel tracing is actively used for diagnostics or performance tuning. Systems running customized or development kernel versions with the affected tracing code are more susceptible. Disruptions in kernel tracing might delay incident response or system diagnostics, indirectly impacting operational continuity. However, since no known exploits exist and the vulnerability requires specific tracing operations, the immediate risk to most production systems is limited. Nonetheless, organizations with high-dependability Linux systems, such as cloud providers, telecommunications infrastructure, or industrial control systems, should consider the impact on system reliability and monitoring capabilities.
Mitigation Recommendations
To mitigate this vulnerability, organizations should apply the official Linux kernel patches that address the double unregistration issue in the osnoise tracer. If using trace-cmd or similar tracing tools, ensure they are updated to versions compatible with the patched kernel. Avoid running tracing commands that trigger the vulnerability until patches are applied. For environments where kernel tracing is critical, implement monitoring to detect kernel warnings related to tracepoint unregistration. Additionally, consider restricting tracing operations to trusted administrators to reduce accidental triggering. For custom or embedded Linux distributions, coordinate with vendors or maintainers to integrate the fix promptly. Testing kernel updates in staging environments before production deployment is recommended to verify stability. Finally, maintain regular kernel updates as part of the security hygiene to prevent exposure to known kernel vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.912Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe6379
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 10:41:37 PM
Last updated: 8/17/2025, 5:07:07 PM
Views: 16
Related Threats
CVE-2025-8678: CWE-918 Server-Side Request Forgery (SSRF) in johnbillion WP Crontrol
MediumCVE-2025-57699: Unquoted search path or element in Western Digital Corporation Western Digital Kitfox for Windows
MediumCVE-2025-8281: CWE-79 Cross-Site Scripting (XSS) in WP Talroo
HighCVE-2025-41452: CWE-15: External Control of System or Configuration Setting in Danfoss AK-SM8xxA Series
MediumCVE-2025-41451: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Danfoss AK-SM8xxA Series
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.