CVE-2022-48914: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: xen/netfront: destroy queues before real_num_tx_queues is zeroed xennet_destroy_queues() relies on info->netdev->real_num_tx_queues to delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ("net-sysfs: update the queue counts in the unregistration path"), unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two facts together means, that xennet_destroy_queues() called from xennet_remove() cannot do its job, because it's called after unregister_netdev(). This results in kfree-ing queues that are still linked in napi, which ultimately crashes: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226 RIP: 0010:free_netdev+0xa3/0x1a0 Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00 RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050 R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680 FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0 Call Trace: <TASK> xennet_remove+0x13d/0x300 [xen_netfront] xenbus_dev_remove+0x6d/0xf0 __device_release_driver+0x17a/0x240 device_release_driver+0x24/0x30 bus_remove_device+0xd8/0x140 device_del+0x18b/0x410 ? _raw_spin_unlock+0x16/0x30 ? klist_iter_exit+0x14/0x20 ? xenbus_dev_request_and_reply+0x80/0x80 device_unregister+0x13/0x60 xenbus_dev_changed+0x18e/0x1f0 xenwatch_thread+0xc0/0x1a0 ? do_wait_intr_irq+0xa0/0xa0 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK> Fix this by calling xennet_destroy_queues() from xennet_uninit(), when real_num_tx_queues is still available. This ensures that queues are destroyed when real_num_tx_queues is set to 0, regardless of how unregister_netdev() was called. Originally reported at https://github.com/QubesOS/qubes-issues/issues/7257
AI Analysis
Technical Summary
CVE-2022-48914 is a vulnerability in the Linux kernel specifically affecting the Xen network front-end driver (xen/netfront). The issue arises from improper handling of network transmit queues during device removal. The function xennet_destroy_queues() is responsible for deleting transmit queues based on the value of real_num_tx_queues, a field in the network device structure. However, due to a change introduced by commit d7dac083414eb5bb99a6d2ed53dc2c1b405224e5, unregister_netdev() sets real_num_tx_queues to zero before xennet_destroy_queues() is called from xennet_remove(). This sequence prevents xennet_destroy_queues() from properly deleting the queues. As a result, the kernel attempts to free queues that are still linked to the NAPI (New API) subsystem, leading to a NULL pointer dereference and a kernel crash (kernel oops). The crash occurs because the kernel tries to access memory at address zero during free_netdev(), causing a supervisor read access fault. The fix involves moving the call to xennet_destroy_queues() to xennet_uninit(), which is executed before real_num_tx_queues is zeroed, ensuring proper cleanup of queues regardless of how unregister_netdev() is invoked. This vulnerability can cause denial of service (DoS) by crashing the kernel on systems running Xen with the affected Linux kernel versions. It is particularly relevant for environments using Xen virtualization with Linux guests or hosts, such as Qubes OS, which reported the issue. No known exploits are currently in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2022-48914 is a potential denial of service condition on Linux systems running Xen virtualization. This could affect cloud service providers, data centers, and enterprises using Xen-based virtualization infrastructure, leading to system instability or crashes during network device removal or reconfiguration. The kernel crash could disrupt critical services, cause downtime, and require system reboots, impacting availability. Confidentiality and integrity impacts are minimal since the vulnerability does not provide direct code execution or privilege escalation but could be leveraged as part of a larger attack chain. Organizations relying on Xen virtualization for secure multi-tenant environments, such as government agencies or financial institutions in Europe, may face operational risks if their systems are affected. The vulnerability also affects Linux distributions that incorporate the vulnerable kernel versions, potentially impacting a wide range of servers and virtualized environments.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this issue by ensuring xennet_destroy_queues() is called before real_num_tx_queues is zeroed, as described in the fix. Monitor Linux kernel updates from trusted sources and update affected systems promptly. 2. For organizations using Xen virtualization, consider temporarily disabling hot removal or reconfiguration of network devices until patches are applied to reduce the risk of triggering the vulnerability. 3. Implement robust monitoring of kernel logs and system stability to detect early signs of crashes related to network device removal. 4. Use kernel live patching solutions where available to apply fixes without requiring full system reboots, minimizing downtime. 5. Validate and test kernel updates in staging environments before deployment to production to ensure compatibility and stability. 6. Limit administrative access to systems running Xen to trusted personnel to reduce the risk of accidental or malicious triggering of the vulnerability. 7. Maintain up-to-date backups and recovery plans to mitigate the impact of potential denial of service incidents.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Estonia, Ireland, Belgium, Italy
CVE-2022-48914: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: xen/netfront: destroy queues before real_num_tx_queues is zeroed xennet_destroy_queues() relies on info->netdev->real_num_tx_queues to delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ("net-sysfs: update the queue counts in the unregistration path"), unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two facts together means, that xennet_destroy_queues() called from xennet_remove() cannot do its job, because it's called after unregister_netdev(). This results in kfree-ing queues that are still linked in napi, which ultimately crashes: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226 RIP: 0010:free_netdev+0xa3/0x1a0 Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00 RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050 R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680 FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0 Call Trace: <TASK> xennet_remove+0x13d/0x300 [xen_netfront] xenbus_dev_remove+0x6d/0xf0 __device_release_driver+0x17a/0x240 device_release_driver+0x24/0x30 bus_remove_device+0xd8/0x140 device_del+0x18b/0x410 ? _raw_spin_unlock+0x16/0x30 ? klist_iter_exit+0x14/0x20 ? xenbus_dev_request_and_reply+0x80/0x80 device_unregister+0x13/0x60 xenbus_dev_changed+0x18e/0x1f0 xenwatch_thread+0xc0/0x1a0 ? do_wait_intr_irq+0xa0/0xa0 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK> Fix this by calling xennet_destroy_queues() from xennet_uninit(), when real_num_tx_queues is still available. This ensures that queues are destroyed when real_num_tx_queues is set to 0, regardless of how unregister_netdev() was called. Originally reported at https://github.com/QubesOS/qubes-issues/issues/7257
AI-Powered Analysis
Technical Analysis
CVE-2022-48914 is a vulnerability in the Linux kernel specifically affecting the Xen network front-end driver (xen/netfront). The issue arises from improper handling of network transmit queues during device removal. The function xennet_destroy_queues() is responsible for deleting transmit queues based on the value of real_num_tx_queues, a field in the network device structure. However, due to a change introduced by commit d7dac083414eb5bb99a6d2ed53dc2c1b405224e5, unregister_netdev() sets real_num_tx_queues to zero before xennet_destroy_queues() is called from xennet_remove(). This sequence prevents xennet_destroy_queues() from properly deleting the queues. As a result, the kernel attempts to free queues that are still linked to the NAPI (New API) subsystem, leading to a NULL pointer dereference and a kernel crash (kernel oops). The crash occurs because the kernel tries to access memory at address zero during free_netdev(), causing a supervisor read access fault. The fix involves moving the call to xennet_destroy_queues() to xennet_uninit(), which is executed before real_num_tx_queues is zeroed, ensuring proper cleanup of queues regardless of how unregister_netdev() is invoked. This vulnerability can cause denial of service (DoS) by crashing the kernel on systems running Xen with the affected Linux kernel versions. It is particularly relevant for environments using Xen virtualization with Linux guests or hosts, such as Qubes OS, which reported the issue. No known exploits are currently in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2022-48914 is a potential denial of service condition on Linux systems running Xen virtualization. This could affect cloud service providers, data centers, and enterprises using Xen-based virtualization infrastructure, leading to system instability or crashes during network device removal or reconfiguration. The kernel crash could disrupt critical services, cause downtime, and require system reboots, impacting availability. Confidentiality and integrity impacts are minimal since the vulnerability does not provide direct code execution or privilege escalation but could be leveraged as part of a larger attack chain. Organizations relying on Xen virtualization for secure multi-tenant environments, such as government agencies or financial institutions in Europe, may face operational risks if their systems are affected. The vulnerability also affects Linux distributions that incorporate the vulnerable kernel versions, potentially impacting a wide range of servers and virtualized environments.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this issue by ensuring xennet_destroy_queues() is called before real_num_tx_queues is zeroed, as described in the fix. Monitor Linux kernel updates from trusted sources and update affected systems promptly. 2. For organizations using Xen virtualization, consider temporarily disabling hot removal or reconfiguration of network devices until patches are applied to reduce the risk of triggering the vulnerability. 3. Implement robust monitoring of kernel logs and system stability to detect early signs of crashes related to network device removal. 4. Use kernel live patching solutions where available to apply fixes without requiring full system reboots, minimizing downtime. 5. Validate and test kernel updates in staging environments before deployment to production to ensure compatibility and stability. 6. Limit administrative access to systems running Xen to trusted personnel to reduce the risk of accidental or malicious triggering of the vulnerability. 7. Maintain up-to-date backups and recovery plans to mitigate the impact of potential denial of service incidents.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.294Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe65af
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:41:31 PM
Last updated: 8/1/2025, 1:05:06 AM
Views: 15
Related Threats
CVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumPlex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumCVE-2025-9051: SQL Injection in projectworlds Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.