CVE-2022-48910: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ensure we call ipv6_mc_down() at most once There are two reasons for addrconf_notify() to be called with NETDEV_DOWN: either the network device is actually going down, or IPv6 was disabled on the interface. If either of them stays down while the other is toggled, we repeatedly call the code for NETDEV_DOWN, including ipv6_mc_down(), while never calling the corresponding ipv6_mc_up() in between. This will cause a new entry in idev->mc_tomb to be allocated for each multicast group the interface is subscribed to, which in turn leaks one struct ifmcaddr6 per nontrivial multicast group the interface is subscribed to. The following reproducer will leak at least $n objects: ip addr add ff2e::4242/32 dev eth0 autojoin sysctl -w net.ipv6.conf.eth0.disable_ipv6=1 for i in $(seq 1 $n); do ip link set up eth0; ip link set down eth0 done Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the sysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2) can also be used to create a nontrivial idev->mc_list, which will the leak objects with the right up-down-sequence. Based on both sources for NETDEV_DOWN events the interface IPv6 state should be considered: - not ready if the network interface is not ready OR IPv6 is disabled for it - ready if the network interface is ready AND IPv6 is enabled for it The functions ipv6_mc_up() and ipv6_down() should only be run when this state changes. Implement this by remembering when the IPv6 state is ready, and only run ipv6_mc_down() if it actually changed from ready to not ready. The other direction (not ready -> ready) already works correctly, as: - the interface notification triggered codepath for NETDEV_UP / NETDEV_CHANGE returns early if ipv6 is disabled, and - the disable_ipv6=0 triggered codepath skips fully initializing the interface as long as addrconf_link_ready(dev) returns false - calling ipv6_mc_up() repeatedly does not leak anything
AI Analysis
Technical Summary
CVE-2022-48910 is a vulnerability in the Linux kernel's IPv6 networking stack related to improper handling of multicast group state transitions when network interfaces go down or IPv6 is disabled. Specifically, the issue arises because the kernel calls the function ipv6_mc_down() multiple times without corresponding calls to ipv6_mc_up() when the network device's state toggles between down and IPv6 disabled states. This leads to a memory leak where the kernel allocates new entries in the idev->mc_tomb list for each multicast group the interface subscribes to, without freeing previous allocations. The leak affects the struct ifmcaddr6 objects representing multicast group memberships. The vulnerability can be reproduced by repeatedly bringing an interface up and down while toggling IPv6 disablement, or by joining multicast groups via IPV6_ADD_MEMBERSHIP or enabling forwarding on the interface. The root cause is that the kernel does not correctly track the IPv6 state readiness of the interface, causing repeated calls to ipv6_mc_down() without matching ipv6_mc_up() calls. The fix involves tracking the IPv6 ready state and only calling ipv6_mc_down() when the state changes from ready to not ready. This vulnerability does not appear to allow remote code execution or privilege escalation directly but causes resource exhaustion through memory leaks in kernel memory structures related to IPv6 multicast. No known exploits in the wild have been reported, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service through resource exhaustion on Linux systems that heavily use IPv6 multicast networking. Servers, network appliances, and IoT devices running affected Linux kernel versions could experience kernel memory leaks leading to degraded performance or crashes if subjected to repeated interface state toggling or multicast group membership changes. This could impact critical infrastructure, telecommunications, cloud service providers, and enterprises relying on Linux-based networking equipment. Although exploitation requires local access or the ability to trigger interface state changes, attackers with such access could cause instability or outages. The vulnerability does not directly expose confidential data or allow privilege escalation but could be leveraged as part of a broader attack chain to disrupt services. Given the widespread use of Linux in European data centers, telecom networks, and industrial control systems, the impact could be significant in environments with IPv6 multicast usage.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-48910 as soon as they become available from trusted sources or Linux distributions. 2. Monitor network interface state changes and IPv6 configuration changes to detect unusual patterns of toggling that could trigger the leak. 3. Limit unprivileged user ability to join IPv6 multicast groups or disable unnecessary multicast group memberships on critical systems. 4. Implement system-level resource monitoring to detect abnormal kernel memory usage indicative of leaks. 5. Where possible, restrict local access to systems to trusted users to reduce risk of exploitation. 6. For environments with critical uptime requirements, consider temporarily disabling IPv6 multicast features if feasible until patches are applied. 7. Regularly update Linux kernel versions to incorporate security fixes and improvements in network stack robustness.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48910: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ensure we call ipv6_mc_down() at most once There are two reasons for addrconf_notify() to be called with NETDEV_DOWN: either the network device is actually going down, or IPv6 was disabled on the interface. If either of them stays down while the other is toggled, we repeatedly call the code for NETDEV_DOWN, including ipv6_mc_down(), while never calling the corresponding ipv6_mc_up() in between. This will cause a new entry in idev->mc_tomb to be allocated for each multicast group the interface is subscribed to, which in turn leaks one struct ifmcaddr6 per nontrivial multicast group the interface is subscribed to. The following reproducer will leak at least $n objects: ip addr add ff2e::4242/32 dev eth0 autojoin sysctl -w net.ipv6.conf.eth0.disable_ipv6=1 for i in $(seq 1 $n); do ip link set up eth0; ip link set down eth0 done Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the sysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2) can also be used to create a nontrivial idev->mc_list, which will the leak objects with the right up-down-sequence. Based on both sources for NETDEV_DOWN events the interface IPv6 state should be considered: - not ready if the network interface is not ready OR IPv6 is disabled for it - ready if the network interface is ready AND IPv6 is enabled for it The functions ipv6_mc_up() and ipv6_down() should only be run when this state changes. Implement this by remembering when the IPv6 state is ready, and only run ipv6_mc_down() if it actually changed from ready to not ready. The other direction (not ready -> ready) already works correctly, as: - the interface notification triggered codepath for NETDEV_UP / NETDEV_CHANGE returns early if ipv6 is disabled, and - the disable_ipv6=0 triggered codepath skips fully initializing the interface as long as addrconf_link_ready(dev) returns false - calling ipv6_mc_up() repeatedly does not leak anything
AI-Powered Analysis
Technical Analysis
CVE-2022-48910 is a vulnerability in the Linux kernel's IPv6 networking stack related to improper handling of multicast group state transitions when network interfaces go down or IPv6 is disabled. Specifically, the issue arises because the kernel calls the function ipv6_mc_down() multiple times without corresponding calls to ipv6_mc_up() when the network device's state toggles between down and IPv6 disabled states. This leads to a memory leak where the kernel allocates new entries in the idev->mc_tomb list for each multicast group the interface subscribes to, without freeing previous allocations. The leak affects the struct ifmcaddr6 objects representing multicast group memberships. The vulnerability can be reproduced by repeatedly bringing an interface up and down while toggling IPv6 disablement, or by joining multicast groups via IPV6_ADD_MEMBERSHIP or enabling forwarding on the interface. The root cause is that the kernel does not correctly track the IPv6 state readiness of the interface, causing repeated calls to ipv6_mc_down() without matching ipv6_mc_up() calls. The fix involves tracking the IPv6 ready state and only calling ipv6_mc_down() when the state changes from ready to not ready. This vulnerability does not appear to allow remote code execution or privilege escalation directly but causes resource exhaustion through memory leaks in kernel memory structures related to IPv6 multicast. No known exploits in the wild have been reported, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service through resource exhaustion on Linux systems that heavily use IPv6 multicast networking. Servers, network appliances, and IoT devices running affected Linux kernel versions could experience kernel memory leaks leading to degraded performance or crashes if subjected to repeated interface state toggling or multicast group membership changes. This could impact critical infrastructure, telecommunications, cloud service providers, and enterprises relying on Linux-based networking equipment. Although exploitation requires local access or the ability to trigger interface state changes, attackers with such access could cause instability or outages. The vulnerability does not directly expose confidential data or allow privilege escalation but could be leveraged as part of a broader attack chain to disrupt services. Given the widespread use of Linux in European data centers, telecom networks, and industrial control systems, the impact could be significant in environments with IPv6 multicast usage.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-48910 as soon as they become available from trusted sources or Linux distributions. 2. Monitor network interface state changes and IPv6 configuration changes to detect unusual patterns of toggling that could trigger the leak. 3. Limit unprivileged user ability to join IPv6 multicast groups or disable unnecessary multicast group memberships on critical systems. 4. Implement system-level resource monitoring to detect abnormal kernel memory usage indicative of leaks. 5. Where possible, restrict local access to systems to trusted users to reduce risk of exploitation. 6. For environments with critical uptime requirements, consider temporarily disabling IPv6 multicast features if feasible until patches are applied. 7. Regularly update Linux kernel versions to incorporate security fixes and improvements in network stack robustness.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.293Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe659f
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:40:41 PM
Last updated: 8/3/2025, 10:16:43 PM
Views: 14
Related Threats
CVE-2025-9012: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9011: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-31961: CWE-1220 Insufficient Granularity of Access Control in HCL Software Connections
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.