CVE-2022-48953: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: rtc: cmos: Fix event handler registration ordering issue Because acpi_install_fixed_event_handler() enables the event automatically on success, it is incorrect to call it before the handler routine passed to it is ready to handle events. Unfortunately, the rtc-cmos driver does exactly the incorrect thing by calling cmos_wake_setup(), which passes rtc_handler() to acpi_install_fixed_event_handler(), before cmos_do_probe(), because rtc_handler() uses dev_get_drvdata() to get to the cmos object pointer and the driver data pointer is only populated in cmos_do_probe(). This leads to a NULL pointer dereference in rtc_handler() on boot if the RTC fixed event happens to be active at the init time. To address this issue, change the initialization ordering of the driver so that cmos_wake_setup() is always called after a successful cmos_do_probe() call. While at it, change cmos_pnp_probe() to call cmos_do_probe() after the initial if () statement used for computing the IRQ argument to be passed to cmos_do_probe() which is cleaner than calling it in each branch of that if () (local variable "irq" can be of type int, because it is passed to that function as an argument of type int). Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number of systems, because previously it only affected systems with ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that commit.
AI Analysis
Technical Summary
CVE-2022-48953 is a vulnerability identified in the Linux kernel's rtc-cmos driver, which handles Real-Time Clock (RTC) events via the CMOS interface. The root cause is an incorrect initialization ordering in the driver code. Specifically, the function acpi_install_fixed_event_handler() enables an event automatically upon successful registration, but the rtc-cmos driver calls this function before the event handler routine (rtc_handler()) is fully prepared to handle events. The rtc_handler() relies on a driver data pointer obtained via dev_get_drvdata(), which is only populated after the cmos_do_probe() function completes. Because the event handler is registered prematurely, if the RTC fixed event triggers during system boot, rtc_handler() attempts to dereference a NULL pointer, leading to a kernel NULL pointer dereference and consequent system crash or kernel panic. This vulnerability was exacerbated by a prior commit (6492fed7d8c9) that removed a conditional check, causing the issue to affect a broader range of systems regardless of the ACPI_FADT_LOW_POWER_S0 flag. The fix involves reordering initialization so that cmos_wake_setup() (which registers the event handler) is called only after a successful cmos_do_probe(), ensuring the driver data pointer is valid before event handling can occur. This vulnerability affects Linux kernel versions containing the faulty commit and impacts systems using the rtc-cmos driver for RTC event handling. No known exploits are reported in the wild as of publication, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2022-48953 primarily concerns system stability and availability. Systems running vulnerable Linux kernel versions with rtc-cmos enabled may experience kernel panics or crashes during boot if the RTC fixed event triggers early. This can lead to denial of service conditions, particularly on servers, embedded devices, or critical infrastructure systems relying on Linux for uptime. While this vulnerability does not directly expose confidentiality or integrity risks, the resulting downtime could disrupt business operations, especially in sectors dependent on continuous system availability such as finance, healthcare, manufacturing, and telecommunications. Additionally, embedded Linux devices used in industrial control systems or IoT deployments could be affected, potentially impacting operational technology environments. Since the vulnerability requires the RTC fixed event to be active at boot and involves kernel-level code, exploitation would likely require local access or physical presence, limiting remote attack vectors. Nonetheless, the broad use of Linux across European enterprises and public sector systems means that unpatched systems could face increased risk of unexpected reboots or service interruptions, which could cascade into operational and financial impacts.
Mitigation Recommendations
To mitigate CVE-2022-48953, European organizations should prioritize updating Linux kernels to versions where the patch correcting the initialization order in the rtc-cmos driver is applied. Kernel maintainers have fixed the issue by ensuring cmos_wake_setup() is called only after cmos_do_probe() completes successfully, preventing NULL pointer dereferences. Organizations should: 1) Identify all Linux systems using affected kernel versions with rtc-cmos enabled, including embedded and IoT devices. 2) Apply vendor-provided kernel updates or backported patches that address this vulnerability. 3) For systems where immediate patching is not feasible, consider disabling the rtc-cmos driver if RTC functionality is not critical, or implement boot-time monitoring to detect and recover from kernel panics. 4) Conduct thorough testing of kernel updates in staging environments to ensure stability. 5) Maintain robust backup and recovery procedures to minimize downtime in case of crashes. 6) Monitor vendor advisories and Linux kernel mailing lists for any emerging exploit reports or additional mitigations. Given the nature of the vulnerability, generic mitigations such as firewalling or network segmentation have limited effect; focus should be on kernel patching and system hardening.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2022-48953: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: rtc: cmos: Fix event handler registration ordering issue Because acpi_install_fixed_event_handler() enables the event automatically on success, it is incorrect to call it before the handler routine passed to it is ready to handle events. Unfortunately, the rtc-cmos driver does exactly the incorrect thing by calling cmos_wake_setup(), which passes rtc_handler() to acpi_install_fixed_event_handler(), before cmos_do_probe(), because rtc_handler() uses dev_get_drvdata() to get to the cmos object pointer and the driver data pointer is only populated in cmos_do_probe(). This leads to a NULL pointer dereference in rtc_handler() on boot if the RTC fixed event happens to be active at the init time. To address this issue, change the initialization ordering of the driver so that cmos_wake_setup() is always called after a successful cmos_do_probe() call. While at it, change cmos_pnp_probe() to call cmos_do_probe() after the initial if () statement used for computing the IRQ argument to be passed to cmos_do_probe() which is cleaner than calling it in each branch of that if () (local variable "irq" can be of type int, because it is passed to that function as an argument of type int). Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number of systems, because previously it only affected systems with ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that commit.
AI-Powered Analysis
Technical Analysis
CVE-2022-48953 is a vulnerability identified in the Linux kernel's rtc-cmos driver, which handles Real-Time Clock (RTC) events via the CMOS interface. The root cause is an incorrect initialization ordering in the driver code. Specifically, the function acpi_install_fixed_event_handler() enables an event automatically upon successful registration, but the rtc-cmos driver calls this function before the event handler routine (rtc_handler()) is fully prepared to handle events. The rtc_handler() relies on a driver data pointer obtained via dev_get_drvdata(), which is only populated after the cmos_do_probe() function completes. Because the event handler is registered prematurely, if the RTC fixed event triggers during system boot, rtc_handler() attempts to dereference a NULL pointer, leading to a kernel NULL pointer dereference and consequent system crash or kernel panic. This vulnerability was exacerbated by a prior commit (6492fed7d8c9) that removed a conditional check, causing the issue to affect a broader range of systems regardless of the ACPI_FADT_LOW_POWER_S0 flag. The fix involves reordering initialization so that cmos_wake_setup() (which registers the event handler) is called only after a successful cmos_do_probe(), ensuring the driver data pointer is valid before event handling can occur. This vulnerability affects Linux kernel versions containing the faulty commit and impacts systems using the rtc-cmos driver for RTC event handling. No known exploits are reported in the wild as of publication, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2022-48953 primarily concerns system stability and availability. Systems running vulnerable Linux kernel versions with rtc-cmos enabled may experience kernel panics or crashes during boot if the RTC fixed event triggers early. This can lead to denial of service conditions, particularly on servers, embedded devices, or critical infrastructure systems relying on Linux for uptime. While this vulnerability does not directly expose confidentiality or integrity risks, the resulting downtime could disrupt business operations, especially in sectors dependent on continuous system availability such as finance, healthcare, manufacturing, and telecommunications. Additionally, embedded Linux devices used in industrial control systems or IoT deployments could be affected, potentially impacting operational technology environments. Since the vulnerability requires the RTC fixed event to be active at boot and involves kernel-level code, exploitation would likely require local access or physical presence, limiting remote attack vectors. Nonetheless, the broad use of Linux across European enterprises and public sector systems means that unpatched systems could face increased risk of unexpected reboots or service interruptions, which could cascade into operational and financial impacts.
Mitigation Recommendations
To mitigate CVE-2022-48953, European organizations should prioritize updating Linux kernels to versions where the patch correcting the initialization order in the rtc-cmos driver is applied. Kernel maintainers have fixed the issue by ensuring cmos_wake_setup() is called only after cmos_do_probe() completes successfully, preventing NULL pointer dereferences. Organizations should: 1) Identify all Linux systems using affected kernel versions with rtc-cmos enabled, including embedded and IoT devices. 2) Apply vendor-provided kernel updates or backported patches that address this vulnerability. 3) For systems where immediate patching is not feasible, consider disabling the rtc-cmos driver if RTC functionality is not critical, or implement boot-time monitoring to detect and recover from kernel panics. 4) Conduct thorough testing of kernel updates in staging environments to ensure stability. 5) Maintain robust backup and recovery procedures to minimize downtime in case of crashes. 6) Monitor vendor advisories and Linux kernel mailing lists for any emerging exploit reports or additional mitigations. Given the nature of the vulnerability, generic mitigations such as firewalling or network segmentation have limited effect; focus should be on kernel patching and system hardening.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.626Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe66fe
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 12:12:19 AM
Last updated: 8/17/2025, 4:39:19 PM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.