CVE-2022-48895: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Don't unregister on shutdown Michael Walle says he noticed the following stack trace while performing a shutdown with "reboot -f". He suggests he got "lucky" and just hit the correct spot for the reboot while there was a packet transmission in flight. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930 Hardware name: Kontron KBox A-230-LS (DT) pc : iommu_get_dma_domain+0x14/0x20 lr : iommu_dma_map_page+0x9c/0x254 Call trace: iommu_get_dma_domain+0x14/0x20 dma_map_page_attrs+0x1ec/0x250 enetc_start_xmit+0x14c/0x10b0 enetc_xmit+0x60/0xdc dev_hard_start_xmit+0xb8/0x210 sch_direct_xmit+0x11c/0x420 __dev_queue_xmit+0x354/0xb20 ip6_finish_output2+0x280/0x5b0 __ip6_finish_output+0x15c/0x270 ip6_output+0x78/0x15c NF_HOOK.constprop.0+0x50/0xd0 mld_sendpack+0x1bc/0x320 mld_ifc_work+0x1d8/0x4dc process_one_work+0x1e8/0x460 worker_thread+0x178/0x534 kthread+0xe0/0xe4 ret_from_fork+0x10/0x20 Code: d503201f f9416800 d503233f d50323bf (f9404c00) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt This appears to be reproducible when the board has a fixed IP address, is ping flooded from another host, and "reboot -f" is used. The following is one more manifestation of the issue: $ reboot -f kvm: exiting hardware virtualization cfg80211: failed to load regulatory.db arm-smmu 5000000.iommu: disabling translation sdhci-esdhc 2140000.mmc: Removing from iommu group 11 sdhci-esdhc 2150000.mmc: Removing from iommu group 12 fsl-edma 22c0000.dma-controller: Removing from iommu group 17 dwc3 3100000.usb: Removing from iommu group 9 dwc3 3110000.usb: Removing from iommu group 10 ahci-qoriq 3200000.sata: Removing from iommu group 2 fsl-qdma 8380000.dma-controller: Removing from iommu group 20 platform f080000.display: Removing from iommu group 0 etnaviv-gpu f0c0000.gpu: Removing from iommu group 1 etnaviv etnaviv: Removing from iommu group 1 caam_jr 8010000.jr: Removing from iommu group 13 caam_jr 8020000.jr: Removing from iommu group 14 caam_jr 8030000.jr: Removing from iommu group 15 caam_jr 8040000.jr: Removing from iommu group 16 fsl_enetc 0000:00:00.0: Removing from iommu group 4 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fsl_enetc 0000:00:00.1: Removing from iommu group 5 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fsl_enetc 0000:00:00.2: Removing from iommu group 6 fsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8 mscc_felix 0000:00:00.5: Removing from iommu group 3 fsl_enetc 0000:00:00.6: Removing from iommu group 7 pcieport 0001:00:00.0: Removing from iommu group 18 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 pcieport 0002:00:00.0: Removing from iommu group 19 Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8 pc : iommu_get_dma_domain+0x14/0x20 lr : iommu_dma_unmap_page+0x38/0xe0 Call trace: iommu_get_dma_domain+0x14/0x20 dma_unmap_page_attrs+0x38/0x1d0 en ---truncated---
AI Analysis
Technical Summary
CVE-2022-48895 is a vulnerability in the Linux kernel specifically related to the ARM System Memory Management Unit (SMMU) implementation within the IOMMU (Input-Output Memory Management Unit) subsystem. The flaw arises from improper handling during shutdown sequences, particularly when unregistering IOMMU components. The vulnerability manifests as a NULL pointer dereference in the kernel, triggered under certain conditions such as a forced reboot (e.g., using "reboot -f") while network packets are in flight, especially when the system is subjected to network stress like ping flooding. The kernel stack trace indicates that the fault occurs in the function iommu_get_dma_domain(), which is called during DMA mapping and unmapping operations related to network transmission (enetc driver). This leads to a kernel panic and system crash, resulting in a denial of service (DoS). The issue is reproducible on ARM-based hardware platforms, such as the Kontron KBox A-230-LS, and involves the interaction between the ARM SMMU and network drivers. The vulnerability is triggered by a race condition or timing issue during shutdown, where the IOMMU unregistering process does not properly handle ongoing DMA operations, causing the kernel to dereference a NULL pointer. This results in a fatal exception and kernel panic. The vulnerability does not appear to have known exploits in the wild yet, and no CVSS score has been assigned. However, the impact is significant as it can cause system crashes and service interruptions on affected devices running vulnerable Linux kernel versions. The root cause relates to the IOMMU's handling of stream IDs and DMA domains during shutdown, with logs indicating blocked unknown Stream IDs and related security implications if bypass is enabled. This vulnerability affects Linux kernel versions prior to the patch that addresses the unregistering logic in the ARM SMMU driver.
Potential Impact
For European organizations, the impact of CVE-2022-48895 can be substantial, particularly for those relying on ARM-based Linux systems in critical infrastructure, embedded devices, or edge computing environments. The vulnerability can cause unexpected kernel panics and system crashes during forced reboots or under network stress conditions, leading to denial of service. This can disrupt operations in sectors such as telecommunications, manufacturing, transportation, and IoT deployments where ARM-based Linux devices are prevalent. The forced reboot scenario combined with network flooding suggests that attackers with network access could intentionally trigger system instability, potentially affecting availability of services. Given the increasing adoption of ARM architectures in servers and embedded systems across Europe, organizations using affected Linux kernel versions without the patch risk operational disruptions. Additionally, the vulnerability could complicate incident response and recovery processes due to unexpected system crashes. Although no remote code execution or privilege escalation is indicated, the denial of service impact alone can have serious consequences for business continuity and safety-critical systems.
Mitigation Recommendations
To mitigate CVE-2022-48895, European organizations should: 1) Apply the latest Linux kernel patches that fix the ARM SMMU unregistering logic to prevent NULL pointer dereferences during shutdown. Monitor kernel mailing lists and vendor advisories for updated stable kernel releases addressing this issue. 2) Avoid using forced reboot commands (e.g., "reboot -f") on affected systems, especially under high network load or ping flood conditions, until patches are applied. 3) Implement network-level protections to limit or block ping floods and other network stress attacks that could trigger the vulnerability, such as rate limiting ICMP traffic and deploying intrusion prevention systems. 4) Review and harden IOMMU and DMA configurations, including careful management of stream IDs and disabling bypass modes that may have security implications. 5) Conduct thorough testing of shutdown and reboot procedures in controlled environments to detect potential crashes related to this vulnerability. 6) For embedded and IoT devices running affected kernels, coordinate with hardware vendors to obtain firmware or kernel updates incorporating the fix. 7) Maintain robust monitoring and alerting for kernel panics and system crashes to enable rapid detection and response to exploitation attempts or accidental triggers.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48895: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Don't unregister on shutdown Michael Walle says he noticed the following stack trace while performing a shutdown with "reboot -f". He suggests he got "lucky" and just hit the correct spot for the reboot while there was a packet transmission in flight. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930 Hardware name: Kontron KBox A-230-LS (DT) pc : iommu_get_dma_domain+0x14/0x20 lr : iommu_dma_map_page+0x9c/0x254 Call trace: iommu_get_dma_domain+0x14/0x20 dma_map_page_attrs+0x1ec/0x250 enetc_start_xmit+0x14c/0x10b0 enetc_xmit+0x60/0xdc dev_hard_start_xmit+0xb8/0x210 sch_direct_xmit+0x11c/0x420 __dev_queue_xmit+0x354/0xb20 ip6_finish_output2+0x280/0x5b0 __ip6_finish_output+0x15c/0x270 ip6_output+0x78/0x15c NF_HOOK.constprop.0+0x50/0xd0 mld_sendpack+0x1bc/0x320 mld_ifc_work+0x1d8/0x4dc process_one_work+0x1e8/0x460 worker_thread+0x178/0x534 kthread+0xe0/0xe4 ret_from_fork+0x10/0x20 Code: d503201f f9416800 d503233f d50323bf (f9404c00) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt This appears to be reproducible when the board has a fixed IP address, is ping flooded from another host, and "reboot -f" is used. The following is one more manifestation of the issue: $ reboot -f kvm: exiting hardware virtualization cfg80211: failed to load regulatory.db arm-smmu 5000000.iommu: disabling translation sdhci-esdhc 2140000.mmc: Removing from iommu group 11 sdhci-esdhc 2150000.mmc: Removing from iommu group 12 fsl-edma 22c0000.dma-controller: Removing from iommu group 17 dwc3 3100000.usb: Removing from iommu group 9 dwc3 3110000.usb: Removing from iommu group 10 ahci-qoriq 3200000.sata: Removing from iommu group 2 fsl-qdma 8380000.dma-controller: Removing from iommu group 20 platform f080000.display: Removing from iommu group 0 etnaviv-gpu f0c0000.gpu: Removing from iommu group 1 etnaviv etnaviv: Removing from iommu group 1 caam_jr 8010000.jr: Removing from iommu group 13 caam_jr 8020000.jr: Removing from iommu group 14 caam_jr 8030000.jr: Removing from iommu group 15 caam_jr 8040000.jr: Removing from iommu group 16 fsl_enetc 0000:00:00.0: Removing from iommu group 4 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fsl_enetc 0000:00:00.1: Removing from iommu group 5 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fsl_enetc 0000:00:00.2: Removing from iommu group 6 fsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8 mscc_felix 0000:00:00.5: Removing from iommu group 3 fsl_enetc 0000:00:00.6: Removing from iommu group 7 pcieport 0001:00:00.0: Removing from iommu group 18 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 pcieport 0002:00:00.0: Removing from iommu group 19 Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8 pc : iommu_get_dma_domain+0x14/0x20 lr : iommu_dma_unmap_page+0x38/0xe0 Call trace: iommu_get_dma_domain+0x14/0x20 dma_unmap_page_attrs+0x38/0x1d0 en ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-48895 is a vulnerability in the Linux kernel specifically related to the ARM System Memory Management Unit (SMMU) implementation within the IOMMU (Input-Output Memory Management Unit) subsystem. The flaw arises from improper handling during shutdown sequences, particularly when unregistering IOMMU components. The vulnerability manifests as a NULL pointer dereference in the kernel, triggered under certain conditions such as a forced reboot (e.g., using "reboot -f") while network packets are in flight, especially when the system is subjected to network stress like ping flooding. The kernel stack trace indicates that the fault occurs in the function iommu_get_dma_domain(), which is called during DMA mapping and unmapping operations related to network transmission (enetc driver). This leads to a kernel panic and system crash, resulting in a denial of service (DoS). The issue is reproducible on ARM-based hardware platforms, such as the Kontron KBox A-230-LS, and involves the interaction between the ARM SMMU and network drivers. The vulnerability is triggered by a race condition or timing issue during shutdown, where the IOMMU unregistering process does not properly handle ongoing DMA operations, causing the kernel to dereference a NULL pointer. This results in a fatal exception and kernel panic. The vulnerability does not appear to have known exploits in the wild yet, and no CVSS score has been assigned. However, the impact is significant as it can cause system crashes and service interruptions on affected devices running vulnerable Linux kernel versions. The root cause relates to the IOMMU's handling of stream IDs and DMA domains during shutdown, with logs indicating blocked unknown Stream IDs and related security implications if bypass is enabled. This vulnerability affects Linux kernel versions prior to the patch that addresses the unregistering logic in the ARM SMMU driver.
Potential Impact
For European organizations, the impact of CVE-2022-48895 can be substantial, particularly for those relying on ARM-based Linux systems in critical infrastructure, embedded devices, or edge computing environments. The vulnerability can cause unexpected kernel panics and system crashes during forced reboots or under network stress conditions, leading to denial of service. This can disrupt operations in sectors such as telecommunications, manufacturing, transportation, and IoT deployments where ARM-based Linux devices are prevalent. The forced reboot scenario combined with network flooding suggests that attackers with network access could intentionally trigger system instability, potentially affecting availability of services. Given the increasing adoption of ARM architectures in servers and embedded systems across Europe, organizations using affected Linux kernel versions without the patch risk operational disruptions. Additionally, the vulnerability could complicate incident response and recovery processes due to unexpected system crashes. Although no remote code execution or privilege escalation is indicated, the denial of service impact alone can have serious consequences for business continuity and safety-critical systems.
Mitigation Recommendations
To mitigate CVE-2022-48895, European organizations should: 1) Apply the latest Linux kernel patches that fix the ARM SMMU unregistering logic to prevent NULL pointer dereferences during shutdown. Monitor kernel mailing lists and vendor advisories for updated stable kernel releases addressing this issue. 2) Avoid using forced reboot commands (e.g., "reboot -f") on affected systems, especially under high network load or ping flood conditions, until patches are applied. 3) Implement network-level protections to limit or block ping floods and other network stress attacks that could trigger the vulnerability, such as rate limiting ICMP traffic and deploying intrusion prevention systems. 4) Review and harden IOMMU and DMA configurations, including careful management of stream IDs and disabling bypass modes that may have security implications. 5) Conduct thorough testing of shutdown and reboot procedures in controlled environments to detect potential crashes related to this vulnerability. 6) For embedded and IoT devices running affected kernels, coordinate with hardware vendors to obtain firmware or kernel updates incorporating the fix. 7) Maintain robust monitoring and alerting for kernel panics and system crashes to enable rapid detection and response to exploitation attempts or accidental triggers.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.290Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6514
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:26:33 PM
Last updated: 8/4/2025, 12:36:51 AM
Views: 11
Related Threats
CVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57700: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
HighCVE-2025-9109: Observable Response Discrepancy in Portabilis i-Diario
MediumCVE-2025-9108: Improper Restriction of Rendered UI Layers in Portabilis i-Diario
MediumCVE-2025-9107: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.