CVE-2022-48976: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable_offload: fix using __this_cpu_add in preemptible flow_offload_queue_work() can be called in workqueue without bh disabled, like the call trace showed in my act_ct testing, calling NF_FLOW_TABLE_STAT_INC() there would cause a call trace: BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560 caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table] Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct] Call Trace: <TASK> dump_stack_lvl+0x33/0x46 check_preemption_disabled+0xc3/0xf0 flow_offload_queue_work+0xec/0x1b0 [nf_flow_table] nf_flow_table_iterate+0x138/0x170 [nf_flow_table] nf_flow_table_free+0x140/0x1a0 [nf_flow_table] tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct] process_one_work+0x6a3/0x1030 worker_thread+0x8a/0xdf0 This patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC() instead in flow_offload_queue_work(). Note that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(), it may not be called in preemptible path, but it's good to use NF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in flow_offload_queue_work().
AI Analysis
Technical Summary
CVE-2022-48976 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the flowtable_offload component. The issue arises from the improper use of the __this_cpu_add() function in a preemptible context within the flow_offload_queue_work() function. This function is called in a workqueue context without bottom halves (bh) disabled, which violates kernel programming constraints. The improper usage leads to a kernel BUG triggered by preemption occurring during the increment of flow table statistics via NF_FLOW_TABLE_STAT_INC(). The kernel call trace shows that this bug manifests during the execution of flow_offload_queue_work(), which is part of the act_ct (connection tracking) workqueue processing. The root cause is that __this_cpu_add() is not safe to use when preemption is enabled, as it assumes the current CPU context remains constant. The patch resolves this by replacing NF_FLOW_TABLE_STAT_INC() with NF_FLOW_TABLE_STAT_INC_ATOMIC(), which is safe to use in preemptible contexts because it uses atomic operations that do not rely on CPU-local state. This fix ensures that statistics updates in flow_offload_queue_work() do not cause kernel panics or instability. The vulnerability affects specific Linux kernel versions identified by commit hashes, and no known exploits in the wild have been reported. The vulnerability is technical and low-level, impacting kernel stability and reliability rather than directly enabling privilege escalation or remote code execution. However, kernel panics or crashes can lead to denial of service (DoS) conditions on affected systems. The issue is relevant for Linux systems using netfilter flow offload features, which are common in networking equipment, firewalls, and routers running Linux. The patch is recommended to maintain kernel stability and prevent potential DoS caused by kernel BUGs triggered by this flaw.
Potential Impact
For European organizations, the primary impact of CVE-2022-48976 is the risk of kernel instability and potential denial of service on Linux systems utilizing netfilter flow offload features. This vulnerability could cause unexpected kernel panics or crashes during normal network traffic processing, particularly in environments with high connection tracking loads or flow offloading enabled. Organizations relying on Linux-based network infrastructure, including firewalls, routers, and servers, may experience service interruptions or degraded network performance. This can affect critical services, especially in sectors such as telecommunications, finance, healthcare, and government, where Linux-based network appliances are prevalent. While the vulnerability does not directly expose systems to remote code execution or privilege escalation, the resulting instability can disrupt operations and require system reboots, impacting availability. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or malicious triggering of the bug. European organizations with large-scale Linux deployments or those using custom kernel builds with netfilter flow offload should prioritize patching to ensure operational continuity and avoid potential denial of service scenarios.
Mitigation Recommendations
1. Apply the official Linux kernel patch that replaces NF_FLOW_TABLE_STAT_INC() with NF_FLOW_TABLE_STAT_INC_ATOMIC() in flow_offload_queue_work() as soon as it becomes available for your kernel version. 2. For organizations using custom or long-term support (LTS) kernels, backport the patch to maintain stability. 3. Monitor kernel updates from your Linux distribution vendors and apply security updates promptly. 4. Audit network devices and servers to identify those using netfilter flow offload features and prioritize patching on these systems. 5. Implement robust monitoring of kernel logs and system stability metrics to detect early signs of kernel panics or crashes related to this issue. 6. Where possible, consider temporarily disabling flow offload features if patching is delayed and if this does not critically impact network performance. 7. Conduct thorough testing of kernel updates in staging environments to ensure compatibility and stability before production deployment. 8. Maintain comprehensive backup and recovery procedures to minimize downtime in case of unexpected system crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-48976: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable_offload: fix using __this_cpu_add in preemptible flow_offload_queue_work() can be called in workqueue without bh disabled, like the call trace showed in my act_ct testing, calling NF_FLOW_TABLE_STAT_INC() there would cause a call trace: BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560 caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table] Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct] Call Trace: <TASK> dump_stack_lvl+0x33/0x46 check_preemption_disabled+0xc3/0xf0 flow_offload_queue_work+0xec/0x1b0 [nf_flow_table] nf_flow_table_iterate+0x138/0x170 [nf_flow_table] nf_flow_table_free+0x140/0x1a0 [nf_flow_table] tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct] process_one_work+0x6a3/0x1030 worker_thread+0x8a/0xdf0 This patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC() instead in flow_offload_queue_work(). Note that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(), it may not be called in preemptible path, but it's good to use NF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in flow_offload_queue_work().
AI-Powered Analysis
Technical Analysis
CVE-2022-48976 is a vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the flowtable_offload component. The issue arises from the improper use of the __this_cpu_add() function in a preemptible context within the flow_offload_queue_work() function. This function is called in a workqueue context without bottom halves (bh) disabled, which violates kernel programming constraints. The improper usage leads to a kernel BUG triggered by preemption occurring during the increment of flow table statistics via NF_FLOW_TABLE_STAT_INC(). The kernel call trace shows that this bug manifests during the execution of flow_offload_queue_work(), which is part of the act_ct (connection tracking) workqueue processing. The root cause is that __this_cpu_add() is not safe to use when preemption is enabled, as it assumes the current CPU context remains constant. The patch resolves this by replacing NF_FLOW_TABLE_STAT_INC() with NF_FLOW_TABLE_STAT_INC_ATOMIC(), which is safe to use in preemptible contexts because it uses atomic operations that do not rely on CPU-local state. This fix ensures that statistics updates in flow_offload_queue_work() do not cause kernel panics or instability. The vulnerability affects specific Linux kernel versions identified by commit hashes, and no known exploits in the wild have been reported. The vulnerability is technical and low-level, impacting kernel stability and reliability rather than directly enabling privilege escalation or remote code execution. However, kernel panics or crashes can lead to denial of service (DoS) conditions on affected systems. The issue is relevant for Linux systems using netfilter flow offload features, which are common in networking equipment, firewalls, and routers running Linux. The patch is recommended to maintain kernel stability and prevent potential DoS caused by kernel BUGs triggered by this flaw.
Potential Impact
For European organizations, the primary impact of CVE-2022-48976 is the risk of kernel instability and potential denial of service on Linux systems utilizing netfilter flow offload features. This vulnerability could cause unexpected kernel panics or crashes during normal network traffic processing, particularly in environments with high connection tracking loads or flow offloading enabled. Organizations relying on Linux-based network infrastructure, including firewalls, routers, and servers, may experience service interruptions or degraded network performance. This can affect critical services, especially in sectors such as telecommunications, finance, healthcare, and government, where Linux-based network appliances are prevalent. While the vulnerability does not directly expose systems to remote code execution or privilege escalation, the resulting instability can disrupt operations and require system reboots, impacting availability. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or malicious triggering of the bug. European organizations with large-scale Linux deployments or those using custom kernel builds with netfilter flow offload should prioritize patching to ensure operational continuity and avoid potential denial of service scenarios.
Mitigation Recommendations
1. Apply the official Linux kernel patch that replaces NF_FLOW_TABLE_STAT_INC() with NF_FLOW_TABLE_STAT_INC_ATOMIC() in flow_offload_queue_work() as soon as it becomes available for your kernel version. 2. For organizations using custom or long-term support (LTS) kernels, backport the patch to maintain stability. 3. Monitor kernel updates from your Linux distribution vendors and apply security updates promptly. 4. Audit network devices and servers to identify those using netfilter flow offload features and prioritize patching on these systems. 5. Implement robust monitoring of kernel logs and system stability metrics to detect early signs of kernel panics or crashes related to this issue. 6. Where possible, consider temporarily disabling flow offload features if patching is delayed and if this does not critically impact network performance. 7. Conduct thorough testing of kernel updates in staging environments to ensure compatibility and stability before production deployment. 8. Maintain comprehensive backup and recovery procedures to minimize downtime in case of unexpected system crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.632Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd58d
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/28/2025, 12:11:49 AM
Last updated: 8/13/2025, 12:48:35 PM
Views: 13
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.