CVE-2022-49021: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: phy: fix null-ptr-deref while probe() failed I got a null-ptr-deref report as following when doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x23e/0x2d0 bus_remove_device+0x1bd/0x240 device_del+0x357/0x770 phy_device_remove+0x11/0x30 mdiobus_unregister+0xa5/0x140 release_nodes+0x6a/0xa0 devres_release_all+0xf8/0x150 device_unbind_cleanup+0x19/0xd0 //probe path: phy_device_register() device_add() phy_connect phy_attach_direct() //set device driver probe() //it's failed, driver is not bound device_bind_driver() // probe failed, it's not called //remove path: phy_device_remove() device_del() device_release_driver_internal() __device_release_driver() //dev->drv is not NULL klist_remove() <- knode_driver is not added yet, cause null-ptr-deref In phy_attach_direct(), after setting the 'dev->driver', probe() fails, device_bind_driver() is not called, so the knode_driver->n_klist is not set, then it causes null-ptr-deref in __device_release_driver() while deleting device. Fix this by setting dev->driver to NULL in the error path in phy_attach_direct().
AI Analysis
Technical Summary
CVE-2022-49021 is a vulnerability identified in the Linux kernel's networking PHY (physical layer) subsystem. The issue arises during the device probe and removal process in the phy_attach_direct() function. Specifically, when the probe() function fails after setting the device's driver pointer (dev->driver), the subsequent device_bind_driver() call is skipped. This results in the knode_driver->n_klist not being initialized. Later, during device removal, the __device_release_driver() function attempts to remove the device from the driver's klist via klist_remove(). However, since the knode_driver was never properly added due to the failed probe, this leads to a null pointer dereference (NULL-ptr-deref) and a kernel oops (crash). The root cause is that dev->driver remains set despite the probe failure, causing inconsistent state during cleanup. The fix involves resetting dev->driver to NULL in the error path within phy_attach_direct(), preventing the null pointer dereference during device removal. This vulnerability was discovered through fault injection testing and affects Linux kernel versions around 6.1.0-rc3+. The vulnerability can cause kernel crashes, potentially leading to denial of service (DoS) conditions on affected systems. There is no indication of remote code execution or privilege escalation from this flaw. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2022-49021 is the potential for local denial of service due to kernel crashes triggered by the null pointer dereference in the Linux PHY subsystem. Systems running affected Linux kernel versions, especially those using network devices reliant on the PHY layer (such as embedded devices, industrial control systems, or servers with specific network interface cards), may experience instability or unexpected reboots. This can disrupt critical network communications and services, impacting availability. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting system crashes could be exploited by local attackers or malicious software to cause service interruptions. Organizations with infrastructure relying on Linux-based networking equipment or embedded Linux devices should be particularly cautious. The impact is more pronounced in environments where high availability and network reliability are essential, such as telecommunications, manufacturing, and financial sectors prevalent in Europe.
Mitigation Recommendations
To mitigate CVE-2022-49021, European organizations should: 1) Apply the official Linux kernel patches that reset dev->driver to NULL on probe failure in the phy_attach_direct() function. This fix is critical to prevent the null pointer dereference during device removal. 2) Update Linux kernel versions to the latest stable releases that include this fix, ideally moving beyond the 6.1.0-rc3+ versions mentioned. 3) Conduct thorough testing of network device drivers and PHY-related components in controlled environments to detect any instability or crashes related to device probing and removal. 4) Implement monitoring for kernel oops and crash logs to quickly identify if this vulnerability is being triggered. 5) Limit local user access on critical Linux systems to reduce the risk of intentional triggering of the fault. 6) For embedded or specialized devices where kernel updates are challenging, consider vendor-specific firmware updates or workarounds that address this issue. 7) Maintain robust backup and recovery procedures to minimize downtime in case of crashes. These steps go beyond generic advice by focusing on the specific kernel function and device driver behavior involved in this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2022-49021: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: phy: fix null-ptr-deref while probe() failed I got a null-ptr-deref report as following when doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x23e/0x2d0 bus_remove_device+0x1bd/0x240 device_del+0x357/0x770 phy_device_remove+0x11/0x30 mdiobus_unregister+0xa5/0x140 release_nodes+0x6a/0xa0 devres_release_all+0xf8/0x150 device_unbind_cleanup+0x19/0xd0 //probe path: phy_device_register() device_add() phy_connect phy_attach_direct() //set device driver probe() //it's failed, driver is not bound device_bind_driver() // probe failed, it's not called //remove path: phy_device_remove() device_del() device_release_driver_internal() __device_release_driver() //dev->drv is not NULL klist_remove() <- knode_driver is not added yet, cause null-ptr-deref In phy_attach_direct(), after setting the 'dev->driver', probe() fails, device_bind_driver() is not called, so the knode_driver->n_klist is not set, then it causes null-ptr-deref in __device_release_driver() while deleting device. Fix this by setting dev->driver to NULL in the error path in phy_attach_direct().
AI-Powered Analysis
Technical Analysis
CVE-2022-49021 is a vulnerability identified in the Linux kernel's networking PHY (physical layer) subsystem. The issue arises during the device probe and removal process in the phy_attach_direct() function. Specifically, when the probe() function fails after setting the device's driver pointer (dev->driver), the subsequent device_bind_driver() call is skipped. This results in the knode_driver->n_klist not being initialized. Later, during device removal, the __device_release_driver() function attempts to remove the device from the driver's klist via klist_remove(). However, since the knode_driver was never properly added due to the failed probe, this leads to a null pointer dereference (NULL-ptr-deref) and a kernel oops (crash). The root cause is that dev->driver remains set despite the probe failure, causing inconsistent state during cleanup. The fix involves resetting dev->driver to NULL in the error path within phy_attach_direct(), preventing the null pointer dereference during device removal. This vulnerability was discovered through fault injection testing and affects Linux kernel versions around 6.1.0-rc3+. The vulnerability can cause kernel crashes, potentially leading to denial of service (DoS) conditions on affected systems. There is no indication of remote code execution or privilege escalation from this flaw. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the primary impact of CVE-2022-49021 is the potential for local denial of service due to kernel crashes triggered by the null pointer dereference in the Linux PHY subsystem. Systems running affected Linux kernel versions, especially those using network devices reliant on the PHY layer (such as embedded devices, industrial control systems, or servers with specific network interface cards), may experience instability or unexpected reboots. This can disrupt critical network communications and services, impacting availability. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting system crashes could be exploited by local attackers or malicious software to cause service interruptions. Organizations with infrastructure relying on Linux-based networking equipment or embedded Linux devices should be particularly cautious. The impact is more pronounced in environments where high availability and network reliability are essential, such as telecommunications, manufacturing, and financial sectors prevalent in Europe.
Mitigation Recommendations
To mitigate CVE-2022-49021, European organizations should: 1) Apply the official Linux kernel patches that reset dev->driver to NULL on probe failure in the phy_attach_direct() function. This fix is critical to prevent the null pointer dereference during device removal. 2) Update Linux kernel versions to the latest stable releases that include this fix, ideally moving beyond the 6.1.0-rc3+ versions mentioned. 3) Conduct thorough testing of network device drivers and PHY-related components in controlled environments to detect any instability or crashes related to device probing and removal. 4) Implement monitoring for kernel oops and crash logs to quickly identify if this vulnerability is being triggered. 5) Limit local user access on critical Linux systems to reduce the risk of intentional triggering of the fault. 6) For embedded or specialized devices where kernel updates are challenging, consider vendor-specific firmware updates or workarounds that address this issue. 7) Maintain robust backup and recovery procedures to minimize downtime in case of crashes. These steps go beyond generic advice by focusing on the specific kernel function and device driver behavior involved in this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.649Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6934
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 1:13:36 AM
Last updated: 7/31/2025, 6:40:18 PM
Views: 14
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.