CVE-2022-48983: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() Syzkaller reports a NULL deref bug as follows: BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 Read of size 4 at addr 0000000000000138 by task file1/1955 CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_tctx_exit_cb+0x53/0xd3 kasan_report+0xbb/0x1f0 ? io_tctx_exit_cb+0x53/0xd3 kasan_check_range+0x140/0x190 io_tctx_exit_cb+0x53/0xd3 task_work_run+0x164/0x250 ? task_work_cancel+0x30/0x30 get_signal+0x1c3/0x2440 ? lock_downgrade+0x6e0/0x6e0 ? lock_downgrade+0x6e0/0x6e0 ? exit_signals+0x8b0/0x8b0 ? do_raw_read_unlock+0x3b/0x70 ? do_raw_spin_unlock+0x50/0x230 arch_do_signal_or_restart+0x82/0x2470 ? kmem_cache_free+0x260/0x4b0 ? putname+0xfe/0x140 ? get_sigframe_size+0x10/0x10 ? do_execveat_common.isra.0+0x226/0x710 ? lockdep_hardirqs_on+0x79/0x100 ? putname+0xfe/0x140 ? do_execveat_common.isra.0+0x238/0x710 exit_to_user_mode_prepare+0x15f/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0023:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: panic_on_warn set ... This happens because the adding of task_work from io_ring_exit_work() isn't synchronized with canceling all work items from eg exec. The execution of the two are ordered in that they are both run by the task itself, but if io_tctx_exit_cb() is queued while we're canceling all work items off exec AND gets executed when the task exits to userspace rather than in the main loop in io_uring_cancel_generic(), then we can find current->io_uring == NULL and hit the above crash. It's safe to add this NULL check here, because the execution of the two paths are done by the task itself. [axboe: add code comment and also put an explanation in the commit msg]
AI Analysis
Technical Summary
CVE-2022-48983 is a vulnerability in the Linux kernel's io_uring subsystem, specifically a null pointer dereference occurring in the function io_tctx_exit_cb(). The issue arises due to a race condition between adding task_work from io_ring_exit_work() and canceling all work items during process execution (e.g., exec). Both operations are performed by the task itself, but if io_tctx_exit_cb() is queued while canceling work items and then executed as the task exits to userspace, the current->io_uring pointer can be NULL, leading to a null pointer dereference and kernel panic. This vulnerability was identified by Syzkaller, a kernel fuzzing tool, which reported a KASAN (Kernel Address Sanitizer) null pointer dereference bug. The crash occurs because the synchronization between queuing and canceling task_work items is insufficient, allowing io_tctx_exit_cb() to run when the io_uring context has already been cleared. The fix involves adding a NULL check in io_tctx_exit_cb() to prevent dereferencing a NULL pointer, which is safe given the execution context. This vulnerability affects Linux kernel versions around 6.1.0-rc7 and likely other versions using the affected io_uring implementation. Exploitation would cause a kernel panic, resulting in denial of service (DoS) for affected systems. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution, but the kernel panic can disrupt system availability. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the primary impact of CVE-2022-48983 is the potential for denial of service due to kernel panics triggered by the null pointer dereference in the io_uring subsystem. Systems running vulnerable Linux kernels with io_uring enabled could experience unexpected crashes, leading to service interruptions, especially in environments relying on Linux servers for critical infrastructure, cloud services, or container orchestration. This could affect data centers, cloud providers, and enterprises using Linux-based systems extensively. Although the vulnerability does not appear to allow privilege escalation or data compromise directly, the availability impact can disrupt business operations, cause downtime, and increase operational costs. Organizations with automated or high-throughput workloads using io_uring for asynchronous I/O might be more susceptible to triggering this bug. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means that unpatched systems remain at risk of accidental or targeted DoS attacks. Given the increasing reliance on Linux in European critical infrastructure and enterprise IT, this vulnerability warrants prompt attention.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the fix involves adding a NULL pointer check in io_tctx_exit_cb(), applying the latest stable kernel releases or vendor-provided security patches is the most effective mitigation. For environments where immediate patching is not feasible, organizations should consider disabling or limiting the use of io_uring if possible, especially in critical systems, to reduce exposure. Monitoring kernel logs for signs of kernel panics or crashes related to io_uring can help detect attempts to trigger this vulnerability. Additionally, organizations should implement robust system restart and recovery procedures to minimize downtime in case of crashes. For cloud or containerized environments, ensure orchestration platforms can quickly detect and recover from node failures. Security teams should also track updates from Linux kernel maintainers and vendors for any further advisories or exploit developments related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-48983: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() Syzkaller reports a NULL deref bug as follows: BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 Read of size 4 at addr 0000000000000138 by task file1/1955 CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_tctx_exit_cb+0x53/0xd3 kasan_report+0xbb/0x1f0 ? io_tctx_exit_cb+0x53/0xd3 kasan_check_range+0x140/0x190 io_tctx_exit_cb+0x53/0xd3 task_work_run+0x164/0x250 ? task_work_cancel+0x30/0x30 get_signal+0x1c3/0x2440 ? lock_downgrade+0x6e0/0x6e0 ? lock_downgrade+0x6e0/0x6e0 ? exit_signals+0x8b0/0x8b0 ? do_raw_read_unlock+0x3b/0x70 ? do_raw_spin_unlock+0x50/0x230 arch_do_signal_or_restart+0x82/0x2470 ? kmem_cache_free+0x260/0x4b0 ? putname+0xfe/0x140 ? get_sigframe_size+0x10/0x10 ? do_execveat_common.isra.0+0x226/0x710 ? lockdep_hardirqs_on+0x79/0x100 ? putname+0xfe/0x140 ? do_execveat_common.isra.0+0x238/0x710 exit_to_user_mode_prepare+0x15f/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0023:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: panic_on_warn set ... This happens because the adding of task_work from io_ring_exit_work() isn't synchronized with canceling all work items from eg exec. The execution of the two are ordered in that they are both run by the task itself, but if io_tctx_exit_cb() is queued while we're canceling all work items off exec AND gets executed when the task exits to userspace rather than in the main loop in io_uring_cancel_generic(), then we can find current->io_uring == NULL and hit the above crash. It's safe to add this NULL check here, because the execution of the two paths are done by the task itself. [axboe: add code comment and also put an explanation in the commit msg]
AI-Powered Analysis
Technical Analysis
CVE-2022-48983 is a vulnerability in the Linux kernel's io_uring subsystem, specifically a null pointer dereference occurring in the function io_tctx_exit_cb(). The issue arises due to a race condition between adding task_work from io_ring_exit_work() and canceling all work items during process execution (e.g., exec). Both operations are performed by the task itself, but if io_tctx_exit_cb() is queued while canceling work items and then executed as the task exits to userspace, the current->io_uring pointer can be NULL, leading to a null pointer dereference and kernel panic. This vulnerability was identified by Syzkaller, a kernel fuzzing tool, which reported a KASAN (Kernel Address Sanitizer) null pointer dereference bug. The crash occurs because the synchronization between queuing and canceling task_work items is insufficient, allowing io_tctx_exit_cb() to run when the io_uring context has already been cleared. The fix involves adding a NULL check in io_tctx_exit_cb() to prevent dereferencing a NULL pointer, which is safe given the execution context. This vulnerability affects Linux kernel versions around 6.1.0-rc7 and likely other versions using the affected io_uring implementation. Exploitation would cause a kernel panic, resulting in denial of service (DoS) for affected systems. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution, but the kernel panic can disrupt system availability. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the primary impact of CVE-2022-48983 is the potential for denial of service due to kernel panics triggered by the null pointer dereference in the io_uring subsystem. Systems running vulnerable Linux kernels with io_uring enabled could experience unexpected crashes, leading to service interruptions, especially in environments relying on Linux servers for critical infrastructure, cloud services, or container orchestration. This could affect data centers, cloud providers, and enterprises using Linux-based systems extensively. Although the vulnerability does not appear to allow privilege escalation or data compromise directly, the availability impact can disrupt business operations, cause downtime, and increase operational costs. Organizations with automated or high-throughput workloads using io_uring for asynchronous I/O might be more susceptible to triggering this bug. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means that unpatched systems remain at risk of accidental or targeted DoS attacks. Given the increasing reliance on Linux in European critical infrastructure and enterprise IT, this vulnerability warrants prompt attention.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the fix involves adding a NULL pointer check in io_tctx_exit_cb(), applying the latest stable kernel releases or vendor-provided security patches is the most effective mitigation. For environments where immediate patching is not feasible, organizations should consider disabling or limiting the use of io_uring if possible, especially in critical systems, to reduce exposure. Monitoring kernel logs for signs of kernel panics or crashes related to io_uring can help detect attempts to trigger this vulnerability. Additionally, organizations should implement robust system restart and recovery procedures to minimize downtime in case of crashes. For cloud or containerized environments, ensure orchestration platforms can quickly detect and recover from node failures. Security teams should also track updates from Linux kernel maintainers and vendors for any further advisories or exploit developments related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.633Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe680b
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 12:43:40 AM
Last updated: 8/13/2025, 6:47:09 PM
Views: 13
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.