CVE-2022-48913: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blk_trace When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg': ================================================================== BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100 Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188 CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xab/0x381 ? blk_dropped_read+0x89/0x100 ? blk_dropped_read+0x89/0x100 kasan_report.cold+0x83/0xdf ? blk_dropped_read+0x89/0x100 kasan_check_range+0x140/0x1b0 blk_dropped_read+0x89/0x100 ? blk_create_buf_file_callback+0x20/0x20 ? kmem_cache_free+0xa1/0x500 ? do_sys_openat2+0x258/0x460 full_proxy_read+0x8f/0xc0 vfs_read+0xc6/0x260 ksys_read+0xb9/0x150 ? vfs_write+0x3d0/0x3d0 ? fpregs_assert_state_consistent+0x55/0x60 ? exit_to_user_mode_prepare+0x39/0x1e0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8 </TASK> Allocated by task 1050: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 do_blk_trace_setup+0xcb/0x410 __blk_trace_setup+0xac/0x130 blk_trace_ioctl+0xe9/0x1c0 blkdev_ioctl+0xf1/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 1050: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x103/0x180 kfree+0x9a/0x4c0 __blk_trace_remove+0x53/0x70 blk_trace_ioctl+0x199/0x1c0 blkdev_common_ioctl+0x5e9/0xb30 blkdev_ioctl+0x1a5/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88816912f380 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff88816912f380, ffff88816912f3e0) The buggy address belongs to the page: page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================
AI Analysis
Technical Summary
CVE-2022-48913 is a use-after-free (UAF) vulnerability in the Linux kernel's block tracing subsystem (blktrace). The vulnerability arises when tracing the entire disk, where certain debug files ('dropped' and 'msg') are created under 'q->debugfs_dir' while the 'bt->dir' pointer is NULL. This condition prevents the blk_trace_free() function from properly removing these files, leading to stale pointers. Subsequent access to these stale pointers results in a use-after-free condition, as demonstrated by the kernel address sanitizer (KASAN) detecting invalid memory reads in blk_dropped_read(). The vulnerability is triggered during ioctl operations related to block tracing, specifically in the blk_trace_ioctl() and blkdev_ioctl() handlers. The root cause is improper cleanup of debugfs entries combined with dereferencing freed memory, which can cause kernel crashes or potentially allow attackers to execute arbitrary code or escalate privileges due to memory corruption. The vulnerability affects Linux kernel versions prior to the patch that addresses this issue. The detailed kernel stack traces and memory state dumps confirm the use-after-free condition and its triggering context. No public exploits are currently known, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernel versions with block tracing enabled or used. The use-after-free can lead to kernel panics, causing denial of service (DoS) conditions on critical infrastructure such as servers, storage systems, and embedded devices. In environments where block tracing is used for performance monitoring or debugging, exploitation could allow attackers with local access to trigger memory corruption, potentially escalating privileges or executing arbitrary code in kernel space. This is particularly concerning for data centers, cloud providers, and enterprises relying on Linux-based storage solutions. The impact extends to availability and integrity of systems, with confidentiality potentially at risk if attackers leverage the vulnerability to gain elevated access. Given the widespread use of Linux in European governmental, financial, and industrial sectors, the vulnerability could disrupt critical services and operations if exploited.
Mitigation Recommendations
Organizations should promptly update their Linux kernels to versions that include the patch fixing CVE-2022-48913. Since the vulnerability is triggered via ioctl calls related to block tracing, disabling or restricting access to blktrace functionality on production systems can reduce risk. Specifically, limit the use of debugfs and block tracing interfaces to trusted administrators only. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) during testing phases to detect similar issues early. Monitoring kernel logs for KASAN alerts or unusual blk_trace activity can help detect exploitation attempts. For environments where kernel updates are delayed, consider applying backported patches or vendor-supplied security updates. Additionally, enforce strict local access controls and audit usage of ioctl calls related to block devices. Network segmentation and limiting user privileges will further reduce the attack surface. Finally, maintain robust incident response plans to quickly address any kernel-level compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2022-48913: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blk_trace When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg': ================================================================== BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100 Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188 CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xab/0x381 ? blk_dropped_read+0x89/0x100 ? blk_dropped_read+0x89/0x100 kasan_report.cold+0x83/0xdf ? blk_dropped_read+0x89/0x100 kasan_check_range+0x140/0x1b0 blk_dropped_read+0x89/0x100 ? blk_create_buf_file_callback+0x20/0x20 ? kmem_cache_free+0xa1/0x500 ? do_sys_openat2+0x258/0x460 full_proxy_read+0x8f/0xc0 vfs_read+0xc6/0x260 ksys_read+0xb9/0x150 ? vfs_write+0x3d0/0x3d0 ? fpregs_assert_state_consistent+0x55/0x60 ? exit_to_user_mode_prepare+0x39/0x1e0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8 </TASK> Allocated by task 1050: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 do_blk_trace_setup+0xcb/0x410 __blk_trace_setup+0xac/0x130 blk_trace_ioctl+0xe9/0x1c0 blkdev_ioctl+0xf1/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 1050: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x103/0x180 kfree+0x9a/0x4c0 __blk_trace_remove+0x53/0x70 blk_trace_ioctl+0x199/0x1c0 blkdev_common_ioctl+0x5e9/0xb30 blkdev_ioctl+0x1a5/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88816912f380 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff88816912f380, ffff88816912f3e0) The buggy address belongs to the page: page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================
AI-Powered Analysis
Technical Analysis
CVE-2022-48913 is a use-after-free (UAF) vulnerability in the Linux kernel's block tracing subsystem (blktrace). The vulnerability arises when tracing the entire disk, where certain debug files ('dropped' and 'msg') are created under 'q->debugfs_dir' while the 'bt->dir' pointer is NULL. This condition prevents the blk_trace_free() function from properly removing these files, leading to stale pointers. Subsequent access to these stale pointers results in a use-after-free condition, as demonstrated by the kernel address sanitizer (KASAN) detecting invalid memory reads in blk_dropped_read(). The vulnerability is triggered during ioctl operations related to block tracing, specifically in the blk_trace_ioctl() and blkdev_ioctl() handlers. The root cause is improper cleanup of debugfs entries combined with dereferencing freed memory, which can cause kernel crashes or potentially allow attackers to execute arbitrary code or escalate privileges due to memory corruption. The vulnerability affects Linux kernel versions prior to the patch that addresses this issue. The detailed kernel stack traces and memory state dumps confirm the use-after-free condition and its triggering context. No public exploits are currently known, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernel versions with block tracing enabled or used. The use-after-free can lead to kernel panics, causing denial of service (DoS) conditions on critical infrastructure such as servers, storage systems, and embedded devices. In environments where block tracing is used for performance monitoring or debugging, exploitation could allow attackers with local access to trigger memory corruption, potentially escalating privileges or executing arbitrary code in kernel space. This is particularly concerning for data centers, cloud providers, and enterprises relying on Linux-based storage solutions. The impact extends to availability and integrity of systems, with confidentiality potentially at risk if attackers leverage the vulnerability to gain elevated access. Given the widespread use of Linux in European governmental, financial, and industrial sectors, the vulnerability could disrupt critical services and operations if exploited.
Mitigation Recommendations
Organizations should promptly update their Linux kernels to versions that include the patch fixing CVE-2022-48913. Since the vulnerability is triggered via ioctl calls related to block tracing, disabling or restricting access to blktrace functionality on production systems can reduce risk. Specifically, limit the use of debugfs and block tracing interfaces to trusted administrators only. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) during testing phases to detect similar issues early. Monitoring kernel logs for KASAN alerts or unusual blk_trace activity can help detect exploitation attempts. For environments where kernel updates are delayed, consider applying backported patches or vendor-supplied security updates. Additionally, enforce strict local access controls and audit usage of ioctl calls related to block devices. Network segmentation and limiting user privileges will further reduce the attack surface. Finally, maintain robust incident response plans to quickly address any kernel-level compromises.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.294Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe65ab
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:41:19 PM
Last updated: 8/11/2025, 8:18:15 AM
Views: 11
Related Threats
CVE-2025-5456: CWE-125 Out-of-bounds Read in Ivanti Connect Secure
HighCVE-2025-3831: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. in checkpoint Check Point Harmony SASE
HighCVE-2025-5462: CWE-122 Heap-based Buffer Overflow in Ivanti Connect Secure
HighCVE-2025-8310: CWE-862 Missing Authorization in Ivanti Virtual Application Delivery ControllerCWE-862
MediumCVE-2025-8297: CWE-434 Unrestricted Upload of File with Dangerous Type in Ivanti Avalanche
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.