CVE-2022-48940: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to incorrect copy_map_value When both bpf_spin_lock and bpf_timer are present in a BPF map value, copy_map_value needs to skirt both objects when copying a value into and out of the map. However, the current code does not set both s_off and t_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock is placed in map value with bpf_timer, as bpf_map_update_elem call will be able to overwrite the other timer object. When the issue is not fixed, an overwriting can produce the following splat: [root@(none) bpf]# ./test_progs -t timer_crash [ 15.930339] bpf_testmod: loading out-of-tree module taints kernel. [ 16.037849] ================================================================== [ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325 [ 16.039399] [ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278 [ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014 [ 16.040485] Call Trace: [ 16.040645] <TASK> [ 16.040805] dump_stack_lvl+0x59/0x73 [ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.041427] kasan_report.cold+0x116/0x11b [ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.042328] ? memcpy+0x39/0x60 [ 16.042552] ? pv_hash+0xd0/0xd0 [ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0 [ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0 [ 16.043366] ? bpf_get_current_comm+0x50/0x50 [ 16.043608] ? jhash+0x11a/0x270 [ 16.043848] bpf_timer_cancel+0x34/0xe0 [ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81 [ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000 [ 16.044836] __x64_sys_nanosleep+0x5/0x140 [ 16.045119] do_syscall_64+0x59/0x80 [ 16.045377] ? lock_is_held_type+0xe4/0x140 [ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40 [ 16.046001] ? mark_held_locks+0x24/0x90 [ 16.046287] ? asm_exc_page_fault+0x1e/0x30 [ 16.046569] ? asm_exc_page_fault+0x8/0x30 [ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100 [ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 16.047405] RIP: 0033:0x7f9e4831718d [ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48 [ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023 [ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d [ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0 [ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0 [ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30 [ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 16.051608] </TASK> [ 16.051762] ==================================================================
AI Analysis
Technical Summary
CVE-2022-48940 is a vulnerability in the Linux kernel related to the handling of BPF (Berkeley Packet Filter) map values that contain both bpf_spin_lock and bpf_timer objects. The vulnerability arises because the function copy_map_value does not correctly set the offsets (s_off and t_off) when copying map values that include both these objects. This improper handling can lead to a crash due to overwriting one timer object with another during a bpf_map_update_elem call. The crash is demonstrated by a kernel address sanitizer (KASAN) report showing a user-memory-access violation in the __pv_queued_spin_lock_slowpath function, indicating a write of size 8 to an invalid address. The root cause is that the copy_map_value function fails to properly skip both the spin lock and timer objects during the copy operation, leading to memory corruption and kernel panic. This vulnerability affects Linux kernel versions that include the affected BPF code and can be triggered by loading specially crafted BPF programs that use both bpf_spin_lock and bpf_timer in map values. The exploitability is limited to scenarios where untrusted or malicious BPF programs can be loaded and executed, which typically requires elevated privileges or specific capabilities. The vulnerability does not have a CVSS score assigned yet but is publicly disclosed and patched in recent Linux kernel versions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with BPF enabled and allowing untrusted BPF program loading. The impact includes potential denial of service (DoS) through kernel crashes, which can disrupt critical services and infrastructure. In environments where BPF is used for networking, monitoring, or security (e.g., cloud providers, telecom operators, and enterprises using advanced Linux networking features), exploitation could lead to service outages or instability. Although the vulnerability does not directly allow privilege escalation or arbitrary code execution, the kernel crash could be leveraged as part of a larger attack chain or cause operational disruptions. Given the widespread use of Linux in European data centers, cloud environments, and embedded systems, the vulnerability could affect a broad range of sectors including finance, healthcare, telecommunications, and government. The lack of known exploits in the wild reduces immediate risk, but the technical nature of the flaw and the complexity of BPF usage mean that targeted attackers with kernel access could exploit it.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Specifically, they should: 1) Identify and inventory systems running vulnerable Linux kernel versions with BPF support. 2) Apply vendor-supplied kernel updates or patches that fix the copy_map_value handling for bpf_spin_lock and bpf_timer objects. 3) Restrict the ability to load untrusted or out-of-tree BPF programs by limiting CAP_BPF and CAP_SYS_ADMIN capabilities to trusted users and processes only. 4) Employ kernel lockdown features and secure boot mechanisms to prevent unauthorized kernel module loading. 5) Monitor kernel logs and audit BPF program loading activities for suspicious behavior. 6) For environments using containerization or orchestration platforms, enforce strict security policies to prevent containers from loading arbitrary BPF programs. 7) Consider disabling BPF features if not required, or use seccomp filters to restrict BPF syscalls. These steps go beyond generic advice by focusing on controlling BPF program loading and kernel update management tailored to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Italy, Spain, Poland
CVE-2022-48940: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to incorrect copy_map_value When both bpf_spin_lock and bpf_timer are present in a BPF map value, copy_map_value needs to skirt both objects when copying a value into and out of the map. However, the current code does not set both s_off and t_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock is placed in map value with bpf_timer, as bpf_map_update_elem call will be able to overwrite the other timer object. When the issue is not fixed, an overwriting can produce the following splat: [root@(none) bpf]# ./test_progs -t timer_crash [ 15.930339] bpf_testmod: loading out-of-tree module taints kernel. [ 16.037849] ================================================================== [ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325 [ 16.039399] [ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278 [ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014 [ 16.040485] Call Trace: [ 16.040645] <TASK> [ 16.040805] dump_stack_lvl+0x59/0x73 [ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.041427] kasan_report.cold+0x116/0x11b [ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.042328] ? memcpy+0x39/0x60 [ 16.042552] ? pv_hash+0xd0/0xd0 [ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0 [ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0 [ 16.043366] ? bpf_get_current_comm+0x50/0x50 [ 16.043608] ? jhash+0x11a/0x270 [ 16.043848] bpf_timer_cancel+0x34/0xe0 [ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81 [ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000 [ 16.044836] __x64_sys_nanosleep+0x5/0x140 [ 16.045119] do_syscall_64+0x59/0x80 [ 16.045377] ? lock_is_held_type+0xe4/0x140 [ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40 [ 16.046001] ? mark_held_locks+0x24/0x90 [ 16.046287] ? asm_exc_page_fault+0x1e/0x30 [ 16.046569] ? asm_exc_page_fault+0x8/0x30 [ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100 [ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 16.047405] RIP: 0033:0x7f9e4831718d [ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48 [ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023 [ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d [ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0 [ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0 [ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30 [ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 16.051608] </TASK> [ 16.051762] ==================================================================
AI-Powered Analysis
Technical Analysis
CVE-2022-48940 is a vulnerability in the Linux kernel related to the handling of BPF (Berkeley Packet Filter) map values that contain both bpf_spin_lock and bpf_timer objects. The vulnerability arises because the function copy_map_value does not correctly set the offsets (s_off and t_off) when copying map values that include both these objects. This improper handling can lead to a crash due to overwriting one timer object with another during a bpf_map_update_elem call. The crash is demonstrated by a kernel address sanitizer (KASAN) report showing a user-memory-access violation in the __pv_queued_spin_lock_slowpath function, indicating a write of size 8 to an invalid address. The root cause is that the copy_map_value function fails to properly skip both the spin lock and timer objects during the copy operation, leading to memory corruption and kernel panic. This vulnerability affects Linux kernel versions that include the affected BPF code and can be triggered by loading specially crafted BPF programs that use both bpf_spin_lock and bpf_timer in map values. The exploitability is limited to scenarios where untrusted or malicious BPF programs can be loaded and executed, which typically requires elevated privileges or specific capabilities. The vulnerability does not have a CVSS score assigned yet but is publicly disclosed and patched in recent Linux kernel versions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with BPF enabled and allowing untrusted BPF program loading. The impact includes potential denial of service (DoS) through kernel crashes, which can disrupt critical services and infrastructure. In environments where BPF is used for networking, monitoring, or security (e.g., cloud providers, telecom operators, and enterprises using advanced Linux networking features), exploitation could lead to service outages or instability. Although the vulnerability does not directly allow privilege escalation or arbitrary code execution, the kernel crash could be leveraged as part of a larger attack chain or cause operational disruptions. Given the widespread use of Linux in European data centers, cloud environments, and embedded systems, the vulnerability could affect a broad range of sectors including finance, healthcare, telecommunications, and government. The lack of known exploits in the wild reduces immediate risk, but the technical nature of the flaw and the complexity of BPF usage mean that targeted attackers with kernel access could exploit it.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Specifically, they should: 1) Identify and inventory systems running vulnerable Linux kernel versions with BPF support. 2) Apply vendor-supplied kernel updates or patches that fix the copy_map_value handling for bpf_spin_lock and bpf_timer objects. 3) Restrict the ability to load untrusted or out-of-tree BPF programs by limiting CAP_BPF and CAP_SYS_ADMIN capabilities to trusted users and processes only. 4) Employ kernel lockdown features and secure boot mechanisms to prevent unauthorized kernel module loading. 5) Monitor kernel logs and audit BPF program loading activities for suspicious behavior. 6) For environments using containerization or orchestration platforms, enforce strict security policies to prevent containers from loading arbitrary BPF programs. 7) Consider disabling BPF features if not required, or use seccomp filters to restrict BPF syscalls. These steps go beyond generic advice by focusing on controlling BPF program loading and kernel update management tailored to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.623Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6686
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:57:23 PM
Last updated: 8/3/2025, 1:08:35 PM
Views: 10
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.