CVE-2022-48925: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Do not change route.addr.src_addr outside state checks If the state is not idle then resolve_prepare_src() should immediately fail and no change to global state should happen. However, it unconditionally overwrites the src_addr trying to build a temporary any address. For instance if the state is already RDMA_CM_LISTEN then this will corrupt the src_addr and would cause the test in cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev) Which would manifest as this trace from syzkaller: BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae This is indicating that an rdma_id_private was destroyed without doing cma_cancel_listens(). Instead of trying to re-use the src_addr memory to indirectly create an any address derived from the dst build one explicitly on the stack and bind to that as any other normal flow would do. rdma_bind_addr() will copy it over the src_addr once it knows the state is valid. This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change route.addr.src_addr.ss_family")
AI Analysis
Technical Summary
CVE-2022-48925 is a vulnerability in the Linux kernel's RDMA (Remote Direct Memory Access) Connection Manager (cma) subsystem. The flaw arises from improper handling of the source address (src_addr) within the route structure during state transitions. Specifically, when the RDMA connection state is not idle, the function resolve_prepare_src() should fail immediately without modifying global state. However, due to a logic error, it unconditionally overwrites src_addr to build a temporary 'any' address. This can corrupt the src_addr when the state is already RDMA_CM_LISTEN, leading to inconsistent state checks in cma_cancel_operation(). The vulnerability manifests as a use-after-free bug detected by Kernel Address Sanitizer (KASAN), indicating that an rdma_id_private structure was destroyed without properly canceling listens, causing memory corruption and potential kernel crashes. The fix involves explicitly building the 'any' address on the stack and only copying it to src_addr after validating the connection state, preventing unintended memory overwrites. This vulnerability is rooted in the RDMA subsystem's handling of connection states and address bindings, and is similar to a previous fix that prevented changes to route.addr.src_addr.ss_family. Exploitation could lead to kernel crashes or memory corruption, potentially enabling denial of service or privilege escalation if combined with other vulnerabilities. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, the impact of CVE-2022-48925 depends largely on their use of Linux systems with RDMA capabilities, which are common in high-performance computing, data centers, and enterprise environments requiring low-latency networking. Successful exploitation could cause kernel crashes leading to denial of service, impacting availability of critical services. In environments where RDMA is used for storage or inter-node communication, such disruptions could degrade performance or cause data access interruptions. Although no direct evidence of privilege escalation exists, memory corruption vulnerabilities in the kernel can sometimes be leveraged as part of multi-stage attacks to gain elevated privileges. Given the widespread use of Linux in European infrastructure, especially in sectors like finance, telecommunications, and research institutions, the vulnerability poses a moderate risk. However, the requirement for specific RDMA configurations and the absence of known exploits reduce immediate threat levels. Organizations relying on RDMA should prioritize patching to maintain system stability and security.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the patch for CVE-2022-48925 as soon as they become available. 2. Audit systems to identify those running RDMA-enabled kernels and assess exposure. 3. Disable RDMA services or modules on systems where RDMA functionality is not required to reduce attack surface. 4. Implement kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory issues early. 5. Monitor kernel logs and system behavior for signs of memory corruption or unexpected crashes related to RDMA operations. 6. For critical environments, consider network segmentation to isolate RDMA traffic and limit potential exploitation scope. 7. Engage with Linux distribution vendors to ensure timely receipt of patches and security advisories related to RDMA vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark
CVE-2022-48925: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Do not change route.addr.src_addr outside state checks If the state is not idle then resolve_prepare_src() should immediately fail and no change to global state should happen. However, it unconditionally overwrites the src_addr trying to build a temporary any address. For instance if the state is already RDMA_CM_LISTEN then this will corrupt the src_addr and would cause the test in cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev) Which would manifest as this trace from syzkaller: BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae This is indicating that an rdma_id_private was destroyed without doing cma_cancel_listens(). Instead of trying to re-use the src_addr memory to indirectly create an any address derived from the dst build one explicitly on the stack and bind to that as any other normal flow would do. rdma_bind_addr() will copy it over the src_addr once it knows the state is valid. This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change route.addr.src_addr.ss_family")
AI-Powered Analysis
Technical Analysis
CVE-2022-48925 is a vulnerability in the Linux kernel's RDMA (Remote Direct Memory Access) Connection Manager (cma) subsystem. The flaw arises from improper handling of the source address (src_addr) within the route structure during state transitions. Specifically, when the RDMA connection state is not idle, the function resolve_prepare_src() should fail immediately without modifying global state. However, due to a logic error, it unconditionally overwrites src_addr to build a temporary 'any' address. This can corrupt the src_addr when the state is already RDMA_CM_LISTEN, leading to inconsistent state checks in cma_cancel_operation(). The vulnerability manifests as a use-after-free bug detected by Kernel Address Sanitizer (KASAN), indicating that an rdma_id_private structure was destroyed without properly canceling listens, causing memory corruption and potential kernel crashes. The fix involves explicitly building the 'any' address on the stack and only copying it to src_addr after validating the connection state, preventing unintended memory overwrites. This vulnerability is rooted in the RDMA subsystem's handling of connection states and address bindings, and is similar to a previous fix that prevented changes to route.addr.src_addr.ss_family. Exploitation could lead to kernel crashes or memory corruption, potentially enabling denial of service or privilege escalation if combined with other vulnerabilities. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, the impact of CVE-2022-48925 depends largely on their use of Linux systems with RDMA capabilities, which are common in high-performance computing, data centers, and enterprise environments requiring low-latency networking. Successful exploitation could cause kernel crashes leading to denial of service, impacting availability of critical services. In environments where RDMA is used for storage or inter-node communication, such disruptions could degrade performance or cause data access interruptions. Although no direct evidence of privilege escalation exists, memory corruption vulnerabilities in the kernel can sometimes be leveraged as part of multi-stage attacks to gain elevated privileges. Given the widespread use of Linux in European infrastructure, especially in sectors like finance, telecommunications, and research institutions, the vulnerability poses a moderate risk. However, the requirement for specific RDMA configurations and the absence of known exploits reduce immediate threat levels. Organizations relying on RDMA should prioritize patching to maintain system stability and security.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the patch for CVE-2022-48925 as soon as they become available. 2. Audit systems to identify those running RDMA-enabled kernels and assess exposure. 3. Disable RDMA services or modules on systems where RDMA functionality is not required to reduce attack surface. 4. Implement kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory issues early. 5. Monitor kernel logs and system behavior for signs of memory corruption or unexpected crashes related to RDMA operations. 6. For critical environments, consider network segmentation to isolate RDMA traffic and limit potential exploitation scope. 7. Engage with Linux distribution vendors to ensure timely receipt of patches and security advisories related to RDMA vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.296Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe65fc
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:43:10 PM
Last updated: 8/16/2025, 6:47:57 AM
Views: 17
Related Threats
CVE-2025-43731: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-7693: CWE-20: Improper Input Validation in Rockwell Automation PLC - Micro850 L50E
CriticalCVE-2025-55293: CWE-287: Improper Authentication in meshtastic firmware
CriticalCVE-2025-55300: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in komari-monitor komari
HighCVE-2025-55299: CWE-521: Weak Password Requirements in 7ritn VaulTLS
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.