CVE-2022-48956: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6_fragment() Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline] BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618 CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 ip6_dst_idev include/net/ip6_fib.h:245 [inline] ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 dst_output include/net/dst.h:445 [inline] ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 sock_write_iter+0x295/0x3d0 net/socket.c:1108 call_write_iter include/linux/fs.h:2191 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9ed/0xdd0 fs/read_write.c:584 ksys_write+0x1ec/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fde3588c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 </TASK> Allocated by task 7618: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422 dst_alloc+0x14a/0x1f0 net/core/dst.c:92 ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline] rt6_make_pcpu_route net/ipv6/route.c:1417 [inline] ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254 pol_lookup_func include/net/ip6_fib.h:582 [inline] fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625 ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638 ip6_route_output include/net/ip6_route.h:98 [inline] ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092 ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222 ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260 udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec n ---truncated---
AI Analysis
Technical Summary
CVE-2022-48956 is a use-after-free vulnerability in the IPv6 fragmentation implementation of the Linux kernel, specifically within the ip6_fragment() function. The vulnerability arises due to incorrect assumptions about the locking context: the ip6_fragment() function callers were believed to always hold the rcu_read_lock(), but this is not consistently true, particularly in the UDP stack. This flaw can lead to a use-after-free condition where the kernel attempts to access memory that has already been freed, causing undefined behavior. The vulnerability was detected and reported by syzbot, a kernel fuzzing tool, which triggered Kernel Address Sanitizer (KASAN) reports indicating use-after-free errors in ip6_dst_idev and ip6_fragment functions. The issue manifests during IPv6 packet fragmentation and output processing, involving multiple kernel networking subsystems such as netfilter hooks, routing, and UDP over IPv6. The bug trace shows that the problem occurs during the sending of UDPv6 packets, where the kernel attempts to access freed destination cache entries or routing structures. This vulnerability affects Linux kernel versions prior to the patch that corrected the locking assumptions and memory management in the IPv6 fragmentation code. Exploitation could potentially lead to kernel crashes (denial of service) or, in some cases, memory corruption that might be leveraged for privilege escalation or arbitrary code execution, although no known exploits are reported in the wild as of now. The vulnerability is complex and requires crafted IPv6 UDP traffic to trigger the use-after-free condition, implying a moderate exploitation difficulty. However, given the widespread use of Linux kernels in servers, cloud infrastructure, and embedded devices, the impact can be significant if exploited.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers, network appliances, and cloud infrastructure running vulnerable Linux kernel versions. Many European enterprises rely heavily on Linux-based systems for critical services, including web hosting, telecommunications, and cloud platforms. Exploitation could lead to kernel panics causing service outages (availability impact), potentially disrupting business operations and critical infrastructure. In more severe scenarios, attackers might leverage the memory corruption to escalate privileges or execute arbitrary code, threatening confidentiality and integrity of sensitive data. The vulnerability affects IPv6 traffic processing, which is increasingly prevalent in European networks due to IPv6 adoption mandates and modern network architectures. Organizations with IPv6-enabled services or those using UDP-based protocols over IPv6 are particularly at risk. Additionally, the vulnerability could be exploited remotely by sending crafted IPv6 UDP packets, increasing the attack surface. The absence of known exploits currently reduces immediate risk, but the complexity and severity warrant prompt attention. Critical infrastructure sectors such as finance, energy, and government in Europe could face heightened risk due to their reliance on Linux systems and the strategic importance of maintaining uninterrupted network services.
Mitigation Recommendations
European organizations should implement the following specific mitigation steps: 1) Immediately update Linux kernels to the latest patched versions that address CVE-2022-48956. This is the most effective mitigation. 2) For environments where immediate patching is not feasible, consider disabling or restricting IPv6 UDP traffic, especially fragmentation, using firewall rules or network policies to reduce exposure. 3) Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 4) Monitor network traffic for anomalous IPv6 UDP fragmentation patterns that could indicate exploitation attempts. 5) Use intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts targeting this vulnerability. 6) In cloud environments, leverage vendor-provided security tools and managed kernel updates to ensure timely patching. 7) Conduct thorough testing of critical applications and services after kernel updates to prevent regressions. 8) Maintain an inventory of Linux kernel versions in use across the organization to prioritize patching efforts effectively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Belgium, Italy
CVE-2022-48956: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6_fragment() Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline] BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618 CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 ip6_dst_idev include/net/ip6_fib.h:245 [inline] ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 dst_output include/net/dst.h:445 [inline] ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 sock_write_iter+0x295/0x3d0 net/socket.c:1108 call_write_iter include/linux/fs.h:2191 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9ed/0xdd0 fs/read_write.c:584 ksys_write+0x1ec/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fde3588c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 </TASK> Allocated by task 7618: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422 dst_alloc+0x14a/0x1f0 net/core/dst.c:92 ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline] rt6_make_pcpu_route net/ipv6/route.c:1417 [inline] ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254 pol_lookup_func include/net/ip6_fib.h:582 [inline] fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625 ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638 ip6_route_output include/net/ip6_route.h:98 [inline] ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092 ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222 ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260 udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec n ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-48956 is a use-after-free vulnerability in the IPv6 fragmentation implementation of the Linux kernel, specifically within the ip6_fragment() function. The vulnerability arises due to incorrect assumptions about the locking context: the ip6_fragment() function callers were believed to always hold the rcu_read_lock(), but this is not consistently true, particularly in the UDP stack. This flaw can lead to a use-after-free condition where the kernel attempts to access memory that has already been freed, causing undefined behavior. The vulnerability was detected and reported by syzbot, a kernel fuzzing tool, which triggered Kernel Address Sanitizer (KASAN) reports indicating use-after-free errors in ip6_dst_idev and ip6_fragment functions. The issue manifests during IPv6 packet fragmentation and output processing, involving multiple kernel networking subsystems such as netfilter hooks, routing, and UDP over IPv6. The bug trace shows that the problem occurs during the sending of UDPv6 packets, where the kernel attempts to access freed destination cache entries or routing structures. This vulnerability affects Linux kernel versions prior to the patch that corrected the locking assumptions and memory management in the IPv6 fragmentation code. Exploitation could potentially lead to kernel crashes (denial of service) or, in some cases, memory corruption that might be leveraged for privilege escalation or arbitrary code execution, although no known exploits are reported in the wild as of now. The vulnerability is complex and requires crafted IPv6 UDP traffic to trigger the use-after-free condition, implying a moderate exploitation difficulty. However, given the widespread use of Linux kernels in servers, cloud infrastructure, and embedded devices, the impact can be significant if exploited.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers, network appliances, and cloud infrastructure running vulnerable Linux kernel versions. Many European enterprises rely heavily on Linux-based systems for critical services, including web hosting, telecommunications, and cloud platforms. Exploitation could lead to kernel panics causing service outages (availability impact), potentially disrupting business operations and critical infrastructure. In more severe scenarios, attackers might leverage the memory corruption to escalate privileges or execute arbitrary code, threatening confidentiality and integrity of sensitive data. The vulnerability affects IPv6 traffic processing, which is increasingly prevalent in European networks due to IPv6 adoption mandates and modern network architectures. Organizations with IPv6-enabled services or those using UDP-based protocols over IPv6 are particularly at risk. Additionally, the vulnerability could be exploited remotely by sending crafted IPv6 UDP packets, increasing the attack surface. The absence of known exploits currently reduces immediate risk, but the complexity and severity warrant prompt attention. Critical infrastructure sectors such as finance, energy, and government in Europe could face heightened risk due to their reliance on Linux systems and the strategic importance of maintaining uninterrupted network services.
Mitigation Recommendations
European organizations should implement the following specific mitigation steps: 1) Immediately update Linux kernels to the latest patched versions that address CVE-2022-48956. This is the most effective mitigation. 2) For environments where immediate patching is not feasible, consider disabling or restricting IPv6 UDP traffic, especially fragmentation, using firewall rules or network policies to reduce exposure. 3) Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 4) Monitor network traffic for anomalous IPv6 UDP fragmentation patterns that could indicate exploitation attempts. 5) Use intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts targeting this vulnerability. 6) In cloud environments, leverage vendor-provided security tools and managed kernel updates to ensure timely patching. 7) Conduct thorough testing of critical applications and services after kernel updates to prevent regressions. 8) Maintain an inventory of Linux kernel versions in use across the organization to prioritize patching efforts effectively.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.627Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe672a
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 12:25:27 AM
Last updated: 8/3/2025, 7:02:53 PM
Views: 22
Related Threats
CVE-2025-8833: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-7965: CWE-352 Cross-Site Request Forgery (CSRF) in CBX Restaurant Booking
MediumCVE-2025-8832: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8831: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8829: OS Command Injection in Linksys RE6250
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.