CVE-2022-48984: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: can: slcan: fix freed work crash The LTP test pty03 is causing a crash in slcan: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 Workqueue: 0x0 (events) RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185) Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968 RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0 RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734 R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000 R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0 FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0 Call Trace: <TASK> worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436) kthread (/home/rich/kernel/linux/kernel/kthread.c:376) ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312) Apparently, the slcan's tx_work is freed while being scheduled. While slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work), slcan_close() (tty side) does not. So when the netdev is never set UP, but the tty is stuffed with bytes and forced to wakeup write, the work is scheduled, but never flushed. So add an additional flush_work() to slcan_close() to be sure the work is flushed under all circumstances. The Fixes commit below moved flush_work() from slcan_close() to slcan_netdev_close(). What was the rationale behind it? Maybe we can drop the one in slcan_netdev_close()? I see the same pattern in can327. So it perhaps needs the very same fix.
AI Analysis
Technical Summary
CVE-2022-48984 is a vulnerability identified in the Linux kernel specifically affecting the slcan (serial line CAN) driver, which is used to interface CAN (Controller Area Network) devices over serial lines. The issue arises from improper handling of workqueue tasks related to the transmission work (tx_work) in the slcan driver. The vulnerability manifests as a kernel NULL pointer dereference leading to a crash (kernel oops) when the slcan driver’s tx_work is freed while still being scheduled. This occurs because the slcan_netdev_close() function calls flush_work() on tx_work to ensure the workqueue task is completed before freeing, but the slcan_close() function does not. If the network device is never set UP but the tty device receives data and triggers a write wakeup, the workqueue task is scheduled but not flushed, resulting in a use-after-free condition and subsequent kernel crash. The root cause is a race condition between the netdev and tty sides of the driver, where the flushing of the workqueue is inconsistently applied. The proposed fix is to add flush_work() in slcan_close() to guarantee the workqueue task is flushed in all scenarios, preventing the use-after-free and kernel panic. The vulnerability was observed in Linux kernel version 6.0.8-1-default on openSUSE Tumbleweed but is likely relevant to other distributions using similar kernel versions and slcan driver implementations. The issue is a stability and availability risk rather than a direct privilege escalation or confidentiality breach. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability also hints at a similar pattern in the can327 driver, suggesting a broader potential impact within CAN-related kernel drivers.
Potential Impact
For European organizations, the primary impact of CVE-2022-48984 is on system stability and availability where Linux systems utilize CAN interfaces via the slcan driver. This is particularly relevant for industries relying on embedded Linux systems interfacing with CAN buses, such as automotive manufacturing, industrial automation, transportation infrastructure, and IoT deployments. A kernel crash caused by this vulnerability could lead to denial of service conditions, disrupting critical operations and potentially causing downtime in production environments. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting system instability could indirectly affect operational continuity and safety-critical systems. Organizations running Linux kernels with affected slcan driver versions in embedded devices or networked systems should be aware of this risk. The lack of known exploits reduces immediate threat urgency, but the vulnerability’s presence in kernel code means it could be triggered by local processes or device interactions, making it a concern for systems with CAN device usage. European entities with automotive supply chains or industrial control systems that rely on Linux-based CAN interfaces are particularly at risk of operational disruption if unpatched.
Mitigation Recommendations
To mitigate CVE-2022-48984, organizations should: 1) Apply the official Linux kernel patches that add flush_work() calls in slcan_close() to ensure proper synchronization of workqueue tasks and prevent use-after-free conditions. 2) Update Linux kernel versions to the latest stable releases that incorporate this fix, especially on systems using CAN interfaces over serial lines. 3) Conduct thorough testing of CAN-related kernel modules (slcan and can327) in controlled environments before deploying updates to production to avoid regressions. 4) Monitor system logs for kernel oops or crashes related to CAN device operations as an early indicator of exploitation attempts or triggering conditions. 5) For embedded and industrial Linux systems, implement robust update mechanisms to deploy kernel patches promptly. 6) Limit access to CAN devices and associated interfaces to trusted users and processes to reduce the risk of accidental or malicious triggering of the vulnerability. 7) Consider isolating or sandboxing CAN interface handling where feasible to contain potential crashes and minimize impact on overall system availability.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Netherlands, Sweden, Belgium, Poland, Czech Republic
CVE-2022-48984: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: can: slcan: fix freed work crash The LTP test pty03 is causing a crash in slcan: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 Workqueue: 0x0 (events) RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185) Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968 RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0 RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734 R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000 R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0 FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0 Call Trace: <TASK> worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436) kthread (/home/rich/kernel/linux/kernel/kthread.c:376) ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312) Apparently, the slcan's tx_work is freed while being scheduled. While slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work), slcan_close() (tty side) does not. So when the netdev is never set UP, but the tty is stuffed with bytes and forced to wakeup write, the work is scheduled, but never flushed. So add an additional flush_work() to slcan_close() to be sure the work is flushed under all circumstances. The Fixes commit below moved flush_work() from slcan_close() to slcan_netdev_close(). What was the rationale behind it? Maybe we can drop the one in slcan_netdev_close()? I see the same pattern in can327. So it perhaps needs the very same fix.
AI-Powered Analysis
Technical Analysis
CVE-2022-48984 is a vulnerability identified in the Linux kernel specifically affecting the slcan (serial line CAN) driver, which is used to interface CAN (Controller Area Network) devices over serial lines. The issue arises from improper handling of workqueue tasks related to the transmission work (tx_work) in the slcan driver. The vulnerability manifests as a kernel NULL pointer dereference leading to a crash (kernel oops) when the slcan driver’s tx_work is freed while still being scheduled. This occurs because the slcan_netdev_close() function calls flush_work() on tx_work to ensure the workqueue task is completed before freeing, but the slcan_close() function does not. If the network device is never set UP but the tty device receives data and triggers a write wakeup, the workqueue task is scheduled but not flushed, resulting in a use-after-free condition and subsequent kernel crash. The root cause is a race condition between the netdev and tty sides of the driver, where the flushing of the workqueue is inconsistently applied. The proposed fix is to add flush_work() in slcan_close() to guarantee the workqueue task is flushed in all scenarios, preventing the use-after-free and kernel panic. The vulnerability was observed in Linux kernel version 6.0.8-1-default on openSUSE Tumbleweed but is likely relevant to other distributions using similar kernel versions and slcan driver implementations. The issue is a stability and availability risk rather than a direct privilege escalation or confidentiality breach. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability also hints at a similar pattern in the can327 driver, suggesting a broader potential impact within CAN-related kernel drivers.
Potential Impact
For European organizations, the primary impact of CVE-2022-48984 is on system stability and availability where Linux systems utilize CAN interfaces via the slcan driver. This is particularly relevant for industries relying on embedded Linux systems interfacing with CAN buses, such as automotive manufacturing, industrial automation, transportation infrastructure, and IoT deployments. A kernel crash caused by this vulnerability could lead to denial of service conditions, disrupting critical operations and potentially causing downtime in production environments. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting system instability could indirectly affect operational continuity and safety-critical systems. Organizations running Linux kernels with affected slcan driver versions in embedded devices or networked systems should be aware of this risk. The lack of known exploits reduces immediate threat urgency, but the vulnerability’s presence in kernel code means it could be triggered by local processes or device interactions, making it a concern for systems with CAN device usage. European entities with automotive supply chains or industrial control systems that rely on Linux-based CAN interfaces are particularly at risk of operational disruption if unpatched.
Mitigation Recommendations
To mitigate CVE-2022-48984, organizations should: 1) Apply the official Linux kernel patches that add flush_work() calls in slcan_close() to ensure proper synchronization of workqueue tasks and prevent use-after-free conditions. 2) Update Linux kernel versions to the latest stable releases that incorporate this fix, especially on systems using CAN interfaces over serial lines. 3) Conduct thorough testing of CAN-related kernel modules (slcan and can327) in controlled environments before deploying updates to production to avoid regressions. 4) Monitor system logs for kernel oops or crashes related to CAN device operations as an early indicator of exploitation attempts or triggering conditions. 5) For embedded and industrial Linux systems, implement robust update mechanisms to deploy kernel patches promptly. 6) Limit access to CAN devices and associated interfaces to trusted users and processes to reduce the risk of accidental or malicious triggering of the vulnerability. 7) Consider isolating or sandboxing CAN interface handling where feasible to contain potential crashes and minimize impact on overall system availability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.633Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe680f
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 12:43:56 AM
Last updated: 8/11/2025, 9:38:41 PM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.