CVE-2022-48855: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sctp: fix kernel-infoleak for SCTP sockets syzbot reported a kernel infoleak [1] of 4 bytes. After analysis, it turned out r->idiag_expires is not initialized if inet_sctp_diag_fill() calls inet_diag_msg_common_fill() Make sure to clear idiag_timer/idiag_retrans/idiag_expires and let inet_diag_msg_sctpasoc_fill() fill them again if needed. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 instrument_copy_to_user include/linux/instrumented.h:121 [inline] copyout lib/iov_iter.c:154 [inline] _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 copy_to_iter include/linux/uio.h:162 [inline] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline] netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] __sys_recvfrom+0x795/0xa10 net/socket.c:2097 __do_sys_recvfrom net/socket.c:2115 [inline] __se_sys_recvfrom net/socket.c:2111 [inline] __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3247 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1158 [inline] netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248 __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373 netlink_dump_start include/linux/netlink.h:254 [inline] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg net/socket.c:725 [inline] sock_write_iter+0x594/0x690 net/socket.c:1061 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:924 [inline] do_writev+0x645/0xe00 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Bytes 68-71 of 2508 are uninitialized Memory access of size 2508 starts at ffff888114f9b000 Data copied to user address 00007f7fe09ff2e0 CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
AI Analysis
Technical Summary
CVE-2022-48855 is a vulnerability identified in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation. The issue is an information leak caused by uninitialized memory being copied to user space. Specifically, the vulnerability arises because the idiag_expires field in the SCTP diagnostic message structure is not properly initialized before being used in the inet_sctp_diag_fill() function, which calls inet_diag_msg_common_fill(). This leads to a kernel info leak of 4 bytes, as detected by the syzbot fuzzing tool. The root cause is that certain timer-related fields (idiag_timer, idiag_retrans, idiag_expires) are not cleared before being conditionally filled by inet_diag_msg_sctpasoc_fill(), resulting in uninitialized kernel memory being exposed to user space through netlink socket diagnostic messages. The vulnerability was found in kernel version 5.17.0-rc4 and likely affects other versions with similar SCTP diagnostic code. The memory leak occurs during the copy_to_user operation when diagnostic data is sent to user space, potentially exposing sensitive kernel memory contents. Although the leaked data size is small (4 bytes), it could be leveraged by an attacker to gain insights into kernel memory layout or other sensitive information. The vulnerability does not require elevated privileges beyond the ability to open SCTP sockets and request diagnostic information, which is generally accessible to unprivileged users. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue was responsibly disclosed and patched by initializing the relevant fields properly to prevent uninitialized memory exposure.
Potential Impact
For European organizations, the impact of CVE-2022-48855 is primarily related to confidentiality risks due to kernel memory information leakage. While the leak size is small, even minimal kernel info leaks can aid attackers in bypassing kernel-level protections such as KASLR (Kernel Address Space Layout Randomization), potentially facilitating more severe attacks like privilege escalation or kernel code execution. Organizations running Linux servers or infrastructure that utilize SCTP—commonly used in telecommunications, real-time applications, and some clustered environments—may be at risk. The vulnerability could be exploited by local unprivileged users or malicious processes to glean kernel memory details, which may be a stepping stone in multi-stage attacks. Although the vulnerability does not directly cause denial of service or integrity violations, the confidentiality breach could undermine system security posture. Given the widespread use of Linux in European data centers, cloud environments, and critical infrastructure, unpatched systems could be targeted by attackers aiming to escalate privileges or evade detection. However, the lack of known exploits and the requirement for local access somewhat limit the immediate threat level. Still, organizations with high-security requirements or exposed multi-tenant environments should prioritize mitigation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-48855 as soon as they become available for your distribution. Monitor vendor advisories for updated kernel packages. 2. If patching immediately is not feasible, consider disabling SCTP protocol support temporarily if it is not required by your environment, to eliminate the attack surface. 3. Restrict access to SCTP sockets and diagnostic interfaces using Linux security modules (e.g., SELinux, AppArmor) or by limiting capabilities to trusted users only. 4. Employ kernel hardening features such as KASLR, kernel lockdown modes, and seccomp filters to reduce the risk of exploitation leveraging info leaks. 5. Monitor system logs and network activity for unusual SCTP socket usage or diagnostic requests that could indicate reconnaissance attempts. 6. Conduct regular vulnerability scanning and penetration testing focused on kernel info leaks and local privilege escalation vectors. 7. Educate system administrators about the risks of uninitialized memory leaks and the importance of timely kernel updates. These steps go beyond generic advice by focusing on SCTP-specific controls, access restrictions, and proactive monitoring tailored to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48855: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sctp: fix kernel-infoleak for SCTP sockets syzbot reported a kernel infoleak [1] of 4 bytes. After analysis, it turned out r->idiag_expires is not initialized if inet_sctp_diag_fill() calls inet_diag_msg_common_fill() Make sure to clear idiag_timer/idiag_retrans/idiag_expires and let inet_diag_msg_sctpasoc_fill() fill them again if needed. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 instrument_copy_to_user include/linux/instrumented.h:121 [inline] copyout lib/iov_iter.c:154 [inline] _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 copy_to_iter include/linux/uio.h:162 [inline] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline] netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] __sys_recvfrom+0x795/0xa10 net/socket.c:2097 __do_sys_recvfrom net/socket.c:2115 [inline] __se_sys_recvfrom net/socket.c:2111 [inline] __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3247 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1158 [inline] netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248 __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373 netlink_dump_start include/linux/netlink.h:254 [inline] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg net/socket.c:725 [inline] sock_write_iter+0x594/0x690 net/socket.c:1061 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:924 [inline] do_writev+0x645/0xe00 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Bytes 68-71 of 2508 are uninitialized Memory access of size 2508 starts at ffff888114f9b000 Data copied to user address 00007f7fe09ff2e0 CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
AI-Powered Analysis
Technical Analysis
CVE-2022-48855 is a vulnerability identified in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation. The issue is an information leak caused by uninitialized memory being copied to user space. Specifically, the vulnerability arises because the idiag_expires field in the SCTP diagnostic message structure is not properly initialized before being used in the inet_sctp_diag_fill() function, which calls inet_diag_msg_common_fill(). This leads to a kernel info leak of 4 bytes, as detected by the syzbot fuzzing tool. The root cause is that certain timer-related fields (idiag_timer, idiag_retrans, idiag_expires) are not cleared before being conditionally filled by inet_diag_msg_sctpasoc_fill(), resulting in uninitialized kernel memory being exposed to user space through netlink socket diagnostic messages. The vulnerability was found in kernel version 5.17.0-rc4 and likely affects other versions with similar SCTP diagnostic code. The memory leak occurs during the copy_to_user operation when diagnostic data is sent to user space, potentially exposing sensitive kernel memory contents. Although the leaked data size is small (4 bytes), it could be leveraged by an attacker to gain insights into kernel memory layout or other sensitive information. The vulnerability does not require elevated privileges beyond the ability to open SCTP sockets and request diagnostic information, which is generally accessible to unprivileged users. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue was responsibly disclosed and patched by initializing the relevant fields properly to prevent uninitialized memory exposure.
Potential Impact
For European organizations, the impact of CVE-2022-48855 is primarily related to confidentiality risks due to kernel memory information leakage. While the leak size is small, even minimal kernel info leaks can aid attackers in bypassing kernel-level protections such as KASLR (Kernel Address Space Layout Randomization), potentially facilitating more severe attacks like privilege escalation or kernel code execution. Organizations running Linux servers or infrastructure that utilize SCTP—commonly used in telecommunications, real-time applications, and some clustered environments—may be at risk. The vulnerability could be exploited by local unprivileged users or malicious processes to glean kernel memory details, which may be a stepping stone in multi-stage attacks. Although the vulnerability does not directly cause denial of service or integrity violations, the confidentiality breach could undermine system security posture. Given the widespread use of Linux in European data centers, cloud environments, and critical infrastructure, unpatched systems could be targeted by attackers aiming to escalate privileges or evade detection. However, the lack of known exploits and the requirement for local access somewhat limit the immediate threat level. Still, organizations with high-security requirements or exposed multi-tenant environments should prioritize mitigation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-48855 as soon as they become available for your distribution. Monitor vendor advisories for updated kernel packages. 2. If patching immediately is not feasible, consider disabling SCTP protocol support temporarily if it is not required by your environment, to eliminate the attack surface. 3. Restrict access to SCTP sockets and diagnostic interfaces using Linux security modules (e.g., SELinux, AppArmor) or by limiting capabilities to trusted users only. 4. Employ kernel hardening features such as KASLR, kernel lockdown modes, and seccomp filters to reduce the risk of exploitation leveraging info leaks. 5. Monitor system logs and network activity for unusual SCTP socket usage or diagnostic requests that could indicate reconnaissance attempts. 6. Conduct regular vulnerability scanning and penetration testing focused on kernel info leaks and local privilege escalation vectors. 7. Educate system administrators about the risks of uninitialized memory leaks and the importance of timely kernel updates. These steps go beyond generic advice by focusing on SCTP-specific controls, access restrictions, and proactive monitoring tailored to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.918Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe63c5
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 10:43:17 PM
Last updated: 8/2/2025, 1:01:52 PM
Views: 10
Related Threats
CVE-2025-49559: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) in Adobe Adobe Commerce
MediumCVE-2025-49558: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) in Adobe Adobe Commerce
MediumCVE-2025-49557: Cross-site Scripting (Stored XSS) (CWE-79) in Adobe Adobe Commerce
HighCVE-2025-49556: Incorrect Authorization (CWE-863) in Adobe Adobe Commerce
HighCVE-2025-49555: Cross-Site Request Forgery (CSRF) (CWE-352) in Adobe Adobe Commerce
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.