CVE-2022-48978: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: HID: core: fix shift-out-of-bounds in hid_report_raw_event Syzbot reported shift-out-of-bounds in hid_report_raw_event. microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 snto32 drivers/hid/hid-core.c:1323 [inline] hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] hid_process_report drivers/hid/hid-core.c:1665 [inline] hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x76a/0x980 kernel/time/timer.c:1790 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 __do_softirq+0x277/0x75b kernel/softirq.c:571 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 ====================================================================== If the size of the integer (unsigned n) is bigger than 32 in snto32(), shift exponent will be too large for 32-bit type 'int', resulting in a shift-out-of-bounds bug. Fix this by adding a check on the size of the integer (unsigned n) in snto32(). To add support for n greater than 32 bits, set n to 32, if n is greater than 32.
AI Analysis
Technical Summary
CVE-2022-48978 is a vulnerability identified in the Linux kernel's Human Interface Device (HID) core subsystem, specifically within the function hid_report_raw_event. The issue arises from an out-of-bounds shift operation in the snto32() function, which is called during the processing of HID reports. The root cause is that the shift exponent 'n' can be greater than 32, which exceeds the bit-width of the 32-bit integer type used in the operation. This results in undefined behavior due to a shift-out-of-bounds bug. The vulnerability was detected by Syzbot, an automated kernel fuzzer, and is triggered when the function hid_field_extract() is called with a parameter n=128, which is invalid for a 32-bit integer. The bug manifests as a shift exponent of 127, which is too large, causing the kernel to potentially behave unpredictably or crash. The fix implemented involves adding a check in snto32() to cap the shift exponent at 32, preventing the out-of-bounds shift. This vulnerability affects multiple versions of the Linux kernel as indicated by the affected commit hashes. The flaw is located in the HID subsystem, which handles input devices such as keyboards, mice, and game controllers. Although no known exploits are reported in the wild, the vulnerability could be triggered by specially crafted HID reports, potentially leading to kernel crashes (denial of service) or other undefined kernel behavior. The vulnerability does not require user authentication but does require interaction with HID devices or the ability to send crafted HID reports to the system. The absence of a CVSS score means severity must be assessed based on impact and exploitability factors.
Potential Impact
For European organizations, the impact of CVE-2022-48978 primarily revolves around potential denial of service conditions or kernel instability on Linux systems handling HID devices. Given the widespread use of Linux in servers, workstations, and embedded devices across Europe, especially in sectors like finance, government, telecommunications, and manufacturing, any kernel-level instability can disrupt critical operations. Systems exposed to untrusted USB or Bluetooth HID devices, or those that process HID reports from external sources, are at risk. Attackers with physical or logical access to input device interfaces could exploit this to cause system crashes, potentially leading to downtime or loss of availability. While direct privilege escalation or remote code execution is not explicitly documented, kernel bugs can sometimes be leveraged in complex attack chains. The impact is heightened in environments where Linux is used in critical infrastructure or where uptime is essential. Additionally, organizations relying on Linux-based IoT or embedded devices with HID interfaces could face operational disruptions. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this vulnerability by implementing the fix in the hid-core.c source code. Kernel updates should be tested and deployed promptly across all affected Linux systems, especially those with HID device interfaces. Organizations should audit and restrict the use of untrusted USB or Bluetooth HID devices, employing USB device whitelisting or endpoint security solutions to control device access. For environments where patching is delayed, consider disabling or limiting HID device support where feasible, or isolating vulnerable systems from untrusted networks and users. Monitoring kernel logs for unusual HID-related errors or crashes can help detect attempted exploitation. Additionally, organizations should ensure robust physical security controls to prevent unauthorized device connections. Security teams should stay informed on any emerging exploit reports or further advisories related to this CVE. Finally, integrating this vulnerability into vulnerability management and incident response workflows will help maintain ongoing risk awareness.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-48978: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: HID: core: fix shift-out-of-bounds in hid_report_raw_event Syzbot reported shift-out-of-bounds in hid_report_raw_event. microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 snto32 drivers/hid/hid-core.c:1323 [inline] hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] hid_process_report drivers/hid/hid-core.c:1665 [inline] hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x76a/0x980 kernel/time/timer.c:1790 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 __do_softirq+0x277/0x75b kernel/softirq.c:571 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 ====================================================================== If the size of the integer (unsigned n) is bigger than 32 in snto32(), shift exponent will be too large for 32-bit type 'int', resulting in a shift-out-of-bounds bug. Fix this by adding a check on the size of the integer (unsigned n) in snto32(). To add support for n greater than 32 bits, set n to 32, if n is greater than 32.
AI-Powered Analysis
Technical Analysis
CVE-2022-48978 is a vulnerability identified in the Linux kernel's Human Interface Device (HID) core subsystem, specifically within the function hid_report_raw_event. The issue arises from an out-of-bounds shift operation in the snto32() function, which is called during the processing of HID reports. The root cause is that the shift exponent 'n' can be greater than 32, which exceeds the bit-width of the 32-bit integer type used in the operation. This results in undefined behavior due to a shift-out-of-bounds bug. The vulnerability was detected by Syzbot, an automated kernel fuzzer, and is triggered when the function hid_field_extract() is called with a parameter n=128, which is invalid for a 32-bit integer. The bug manifests as a shift exponent of 127, which is too large, causing the kernel to potentially behave unpredictably or crash. The fix implemented involves adding a check in snto32() to cap the shift exponent at 32, preventing the out-of-bounds shift. This vulnerability affects multiple versions of the Linux kernel as indicated by the affected commit hashes. The flaw is located in the HID subsystem, which handles input devices such as keyboards, mice, and game controllers. Although no known exploits are reported in the wild, the vulnerability could be triggered by specially crafted HID reports, potentially leading to kernel crashes (denial of service) or other undefined kernel behavior. The vulnerability does not require user authentication but does require interaction with HID devices or the ability to send crafted HID reports to the system. The absence of a CVSS score means severity must be assessed based on impact and exploitability factors.
Potential Impact
For European organizations, the impact of CVE-2022-48978 primarily revolves around potential denial of service conditions or kernel instability on Linux systems handling HID devices. Given the widespread use of Linux in servers, workstations, and embedded devices across Europe, especially in sectors like finance, government, telecommunications, and manufacturing, any kernel-level instability can disrupt critical operations. Systems exposed to untrusted USB or Bluetooth HID devices, or those that process HID reports from external sources, are at risk. Attackers with physical or logical access to input device interfaces could exploit this to cause system crashes, potentially leading to downtime or loss of availability. While direct privilege escalation or remote code execution is not explicitly documented, kernel bugs can sometimes be leveraged in complex attack chains. The impact is heightened in environments where Linux is used in critical infrastructure or where uptime is essential. Additionally, organizations relying on Linux-based IoT or embedded devices with HID interfaces could face operational disruptions. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this vulnerability by implementing the fix in the hid-core.c source code. Kernel updates should be tested and deployed promptly across all affected Linux systems, especially those with HID device interfaces. Organizations should audit and restrict the use of untrusted USB or Bluetooth HID devices, employing USB device whitelisting or endpoint security solutions to control device access. For environments where patching is delayed, consider disabling or limiting HID device support where feasible, or isolating vulnerable systems from untrusted networks and users. Monitoring kernel logs for unusual HID-related errors or crashes can help detect attempted exploitation. Additionally, organizations should ensure robust physical security controls to prevent unauthorized device connections. Security teams should stay informed on any emerging exploit reports or further advisories related to this CVE. Finally, integrating this vulnerability into vulnerability management and incident response workflows will help maintain ongoing risk awareness.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.632Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe67e3
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 12:42:29 AM
Last updated: 7/29/2025, 11:15:10 PM
Views: 11
Related Threats
CVE-2025-9006: Buffer Overflow in Tenda CH22
HighCVE-2025-9005: Information Exposure Through Error Message in mtons mblog
MediumCVE-2025-9004: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumCVE-2025-9003: Cross Site Scripting in D-Link DIR-818LW
MediumCVE-2025-55726
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.