CVE-2022-48871: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on default RX FIFO depth, e.g. 16. Later during serial startup the qcom_geni_serial_port_setup() updates the RX FIFO depth (port->rx_fifo_depth) to match real device capabilities, e.g. to 32. The RX UART handle code will read "port->rx_fifo_depth" number of words into "port->rx_fifo" buffer, thus exceeding the bounds. This can be observed in certain configurations with Qualcomm Bluetooth HCI UART device and KASAN: Bluetooth: hci0: QCA Product ID :0x00000010 Bluetooth: hci0: QCA SOC Version :0x400a0200 Bluetooth: hci0: QCA ROM Version :0x00000200 Bluetooth: hci0: QCA Patch Version:0x00000d2b Bluetooth: hci0: QCA controller version 0x02000200 Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2 Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2) Bluetooth: hci0: QCA Failed to download patch (-2) ================================================================== BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c Write of size 4 at addr ffff279347d578c0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 show_stack+0x18/0x40 dump_stack_lvl+0x8c/0xb8 print_report+0x188/0x488 kasan_report+0xb4/0x100 __asan_store4+0x80/0xa4 handle_rx_uart+0xa8/0x18c qcom_geni_serial_handle_rx+0x84/0x9c qcom_geni_serial_isr+0x24c/0x760 __handle_irq_event_percpu+0x108/0x500 handle_irq_event+0x6c/0x110 handle_fasteoi_irq+0x138/0x2cc generic_handle_domain_irq+0x48/0x64 If the RX FIFO depth changes after probe, be sure to resize the buffer.
AI Analysis
Technical Summary
CVE-2022-48871 is a vulnerability identified in the Linux kernel's Qualcomm GENI serial driver, specifically affecting the handling of the RX FIFO buffer in the qcom-geni-serial driver. The issue arises because the driver's probe function initially allocates memory for the RX FIFO buffer based on a default depth (e.g., 16 words). However, during serial startup, the RX FIFO depth is updated to reflect the actual hardware capabilities (e.g., 32 words) without resizing the allocated buffer accordingly. Consequently, when the RX UART handler reads data, it reads the updated number of words into the originally allocated smaller buffer, causing a slab-out-of-bounds write. This memory corruption can lead to kernel crashes or undefined behavior. The vulnerability is observable in configurations involving Qualcomm Bluetooth HCI UART devices, as demonstrated by kernel address sanitizer (KASAN) reports showing out-of-bounds writes during Bluetooth initialization on Qualcomm Robotics RB5 hardware. The root cause is a mismatch between buffer allocation size and the actual FIFO depth used during runtime. The fix requires ensuring that if the RX FIFO depth changes after the probe phase, the RX FIFO buffer must be resized to prevent out-of-bounds memory access. This vulnerability does not have a CVSS score assigned yet and no known exploits in the wild have been reported as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2022-48871 depends largely on the deployment of Linux systems running Qualcomm GENI serial drivers, particularly in embedded or IoT devices that utilize Qualcomm Bluetooth HCI UART interfaces. Potential impacts include system instability, kernel panics, or denial of service due to memory corruption. In critical infrastructure or industrial control systems using affected hardware, this could lead to operational disruptions. While direct remote exploitation is unlikely without local access or specific hardware configurations, attackers with local privileges or physical access could trigger the vulnerability to escalate privileges or disrupt system availability. The vulnerability could also be leveraged as part of a multi-stage attack chain targeting embedded Linux devices in sectors such as manufacturing, robotics, telecommunications, or automotive industries prevalent in Europe. Given the increasing use of Linux-based embedded systems in European industrial environments, this vulnerability poses a moderate risk to operational continuity and security integrity if unpatched.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-48871 as soon as they become available from trusted sources or Linux distributions. 2. For organizations using custom or embedded Linux kernels, ensure that the qcom-geni-serial driver is updated to include the fix that resizes the RX FIFO buffer when the FIFO depth changes after probe. 3. Conduct thorough testing of Bluetooth and serial communication subsystems on affected devices after patching to confirm stability and absence of memory corruption. 4. Implement strict access controls to limit local user privileges on devices running affected kernels to reduce the risk of exploitation by unprivileged users. 5. Monitor kernel logs and system behavior for signs of memory corruption or crashes related to the serial driver, especially on devices with Qualcomm Bluetooth hardware. 6. For critical environments, consider network segmentation and device isolation to limit potential impact if exploitation occurs. 7. Maintain up-to-date inventory of devices using Qualcomm GENI serial drivers to prioritize patching and risk assessment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2022-48871: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on default RX FIFO depth, e.g. 16. Later during serial startup the qcom_geni_serial_port_setup() updates the RX FIFO depth (port->rx_fifo_depth) to match real device capabilities, e.g. to 32. The RX UART handle code will read "port->rx_fifo_depth" number of words into "port->rx_fifo" buffer, thus exceeding the bounds. This can be observed in certain configurations with Qualcomm Bluetooth HCI UART device and KASAN: Bluetooth: hci0: QCA Product ID :0x00000010 Bluetooth: hci0: QCA SOC Version :0x400a0200 Bluetooth: hci0: QCA ROM Version :0x00000200 Bluetooth: hci0: QCA Patch Version:0x00000d2b Bluetooth: hci0: QCA controller version 0x02000200 Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2 Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2) Bluetooth: hci0: QCA Failed to download patch (-2) ================================================================== BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c Write of size 4 at addr ffff279347d578c0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 show_stack+0x18/0x40 dump_stack_lvl+0x8c/0xb8 print_report+0x188/0x488 kasan_report+0xb4/0x100 __asan_store4+0x80/0xa4 handle_rx_uart+0xa8/0x18c qcom_geni_serial_handle_rx+0x84/0x9c qcom_geni_serial_isr+0x24c/0x760 __handle_irq_event_percpu+0x108/0x500 handle_irq_event+0x6c/0x110 handle_fasteoi_irq+0x138/0x2cc generic_handle_domain_irq+0x48/0x64 If the RX FIFO depth changes after probe, be sure to resize the buffer.
AI-Powered Analysis
Technical Analysis
CVE-2022-48871 is a vulnerability identified in the Linux kernel's Qualcomm GENI serial driver, specifically affecting the handling of the RX FIFO buffer in the qcom-geni-serial driver. The issue arises because the driver's probe function initially allocates memory for the RX FIFO buffer based on a default depth (e.g., 16 words). However, during serial startup, the RX FIFO depth is updated to reflect the actual hardware capabilities (e.g., 32 words) without resizing the allocated buffer accordingly. Consequently, when the RX UART handler reads data, it reads the updated number of words into the originally allocated smaller buffer, causing a slab-out-of-bounds write. This memory corruption can lead to kernel crashes or undefined behavior. The vulnerability is observable in configurations involving Qualcomm Bluetooth HCI UART devices, as demonstrated by kernel address sanitizer (KASAN) reports showing out-of-bounds writes during Bluetooth initialization on Qualcomm Robotics RB5 hardware. The root cause is a mismatch between buffer allocation size and the actual FIFO depth used during runtime. The fix requires ensuring that if the RX FIFO depth changes after the probe phase, the RX FIFO buffer must be resized to prevent out-of-bounds memory access. This vulnerability does not have a CVSS score assigned yet and no known exploits in the wild have been reported as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2022-48871 depends largely on the deployment of Linux systems running Qualcomm GENI serial drivers, particularly in embedded or IoT devices that utilize Qualcomm Bluetooth HCI UART interfaces. Potential impacts include system instability, kernel panics, or denial of service due to memory corruption. In critical infrastructure or industrial control systems using affected hardware, this could lead to operational disruptions. While direct remote exploitation is unlikely without local access or specific hardware configurations, attackers with local privileges or physical access could trigger the vulnerability to escalate privileges or disrupt system availability. The vulnerability could also be leveraged as part of a multi-stage attack chain targeting embedded Linux devices in sectors such as manufacturing, robotics, telecommunications, or automotive industries prevalent in Europe. Given the increasing use of Linux-based embedded systems in European industrial environments, this vulnerability poses a moderate risk to operational continuity and security integrity if unpatched.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-48871 as soon as they become available from trusted sources or Linux distributions. 2. For organizations using custom or embedded Linux kernels, ensure that the qcom-geni-serial driver is updated to include the fix that resizes the RX FIFO buffer when the FIFO depth changes after probe. 3. Conduct thorough testing of Bluetooth and serial communication subsystems on affected devices after patching to confirm stability and absence of memory corruption. 4. Implement strict access controls to limit local user privileges on devices running affected kernels to reduce the risk of exploitation by unprivileged users. 5. Monitor kernel logs and system behavior for signs of memory corruption or crashes related to the serial driver, especially on devices with Qualcomm Bluetooth hardware. 6. For critical environments, consider network segmentation and device isolation to limit potential impact if exploitation occurs. 7. Maintain up-to-date inventory of devices using Qualcomm GENI serial drivers to prioritize patching and risk assessment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.921Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe644e
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 10:57:32 PM
Last updated: 8/16/2025, 7:13:35 AM
Views: 22
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.