CVE-2022-48867: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Prevent use after free on completion memory On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs(). If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below: BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drv_disable_wq()->idxd_wq_free_resources() Fix the use after free by freeing the descriptors after any possible usage. This is done after idxd_wq_reset() to ensure that the memory remains accessible during possible completion writes by the device.
AI Analysis
Technical Summary
CVE-2022-48867 is a use-after-free vulnerability identified in the Linux kernel's dmaengine subsystem, specifically within the Intel Data Streaming Accelerator (idxd) driver. The vulnerability arises during the driver unload process, where pending DMA descriptors are flushed while the interrupt handler is being freed. The sequence of function calls involved includes idxd_dmaengine_drv_remove(), which calls drv_disable_wq(), then idxd_wq_free_irq(), and finally idxd_flush_pending_descs(). If descriptors are still present and need flushing at this stage, the kernel attempts to access memory that has already been freed, leading to a 'not present' page fault. This results in a kernel panic or BUG message indicating an inability to handle a page fault at an invalid address. The root cause is that the descriptors are freed prematurely before ensuring all possible device completion writes have finished. The fix involves deferring the freeing of descriptors until after idxd_wq_reset() is called, ensuring the memory remains accessible during any final device operations. This vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to systems using the idxd driver for DMA operations. There are no known exploits in the wild currently, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected idxd driver enabled, which is common in servers and data centers utilizing Intel Data Streaming Accelerator hardware for high-performance DMA operations. Exploitation could lead to kernel crashes (denial of service), potentially disrupting critical services and operations. While this vulnerability does not directly enable privilege escalation or data leakage, the resulting system instability could be leveraged in multi-stage attacks or cause significant operational downtime. Organizations relying on Linux-based infrastructure for cloud services, telecommunications, or industrial control systems could experience service interruptions. The impact is heightened in environments where uptime and reliability are critical, such as financial institutions, healthcare providers, and public sector entities across Europe. Since no known exploits exist yet, the immediate risk is moderate but could escalate if exploit code is developed.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, they should apply the latest stable kernel releases that include the fix deferring descriptor freeing until after idxd_wq_reset(). System administrators should audit their environments to identify systems using the idxd driver and ensure these systems are updated promptly. In environments where immediate patching is not feasible, mitigating controls include disabling the idxd driver if not required, or isolating affected systems to limit impact. Monitoring kernel logs for page fault errors or unexpected kernel panics related to DMA operations can help detect attempts to trigger this vulnerability. Additionally, organizations should maintain robust backup and recovery procedures to minimize downtime in case of exploitation. Coordination with Linux distribution vendors for timely patch deployment is essential.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-48867: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Prevent use after free on completion memory On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs(). If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below: BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drv_disable_wq()->idxd_wq_free_resources() Fix the use after free by freeing the descriptors after any possible usage. This is done after idxd_wq_reset() to ensure that the memory remains accessible during possible completion writes by the device.
AI-Powered Analysis
Technical Analysis
CVE-2022-48867 is a use-after-free vulnerability identified in the Linux kernel's dmaengine subsystem, specifically within the Intel Data Streaming Accelerator (idxd) driver. The vulnerability arises during the driver unload process, where pending DMA descriptors are flushed while the interrupt handler is being freed. The sequence of function calls involved includes idxd_dmaengine_drv_remove(), which calls drv_disable_wq(), then idxd_wq_free_irq(), and finally idxd_flush_pending_descs(). If descriptors are still present and need flushing at this stage, the kernel attempts to access memory that has already been freed, leading to a 'not present' page fault. This results in a kernel panic or BUG message indicating an inability to handle a page fault at an invalid address. The root cause is that the descriptors are freed prematurely before ensuring all possible device completion writes have finished. The fix involves deferring the freeing of descriptors until after idxd_wq_reset() is called, ensuring the memory remains accessible during any final device operations. This vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to systems using the idxd driver for DMA operations. There are no known exploits in the wild currently, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected idxd driver enabled, which is common in servers and data centers utilizing Intel Data Streaming Accelerator hardware for high-performance DMA operations. Exploitation could lead to kernel crashes (denial of service), potentially disrupting critical services and operations. While this vulnerability does not directly enable privilege escalation or data leakage, the resulting system instability could be leveraged in multi-stage attacks or cause significant operational downtime. Organizations relying on Linux-based infrastructure for cloud services, telecommunications, or industrial control systems could experience service interruptions. The impact is heightened in environments where uptime and reliability are critical, such as financial institutions, healthcare providers, and public sector entities across Europe. Since no known exploits exist yet, the immediate risk is moderate but could escalate if exploit code is developed.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, they should apply the latest stable kernel releases that include the fix deferring descriptor freeing until after idxd_wq_reset(). System administrators should audit their environments to identify systems using the idxd driver and ensure these systems are updated promptly. In environments where immediate patching is not feasible, mitigating controls include disabling the idxd driver if not required, or isolating affected systems to limit impact. Monitoring kernel logs for page fault errors or unexpected kernel panics related to DMA operations can help detect attempts to trigger this vulnerability. Additionally, organizations should maintain robust backup and recovery procedures to minimize downtime in case of exploitation. Coordination with Linux distribution vendors for timely patch deployment is essential.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.921Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6435
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 10:56:40 PM
Last updated: 8/15/2025, 11:01:43 AM
Views: 12
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.