CVE-2022-49034: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected, cpu_max_bits_warn() generates a runtime warning similar as below when showing /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 [ 3.070072] Modules linked in: efivarfs autofs4 [ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 [ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 [ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 [ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff [ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 [ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa [ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 [ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 [ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 [ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 [ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c [ 3.195868] ... [ 3.199917] Call Trace: [ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c [ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88 [ 3.217625] [<900000000023d268>] __warn+0xd0/0x100 [ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc [ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0 [ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4 [ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4 [ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0 [ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100 [ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94 [ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160 [ 3.281824] ---[ end trace 8b484262b4b8c24c ]---
AI Analysis
Technical Summary
CVE-2022-49034 addresses a vulnerability in the Linux kernel related to the handling of CPU information display when specific kernel configuration options are enabled. The issue arises when both CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected in the kernel configuration. Under these conditions, the function cpu_max_bits_warn() generates a runtime warning during the display of /proc/cpuinfo, which is a virtual file providing detailed CPU information. The root cause is the use of a static constant NR_CPUS to iterate over CPUs instead of the runtime variable nr_cpu_ids, which reflects the actual number of CPUs present. This mismatch leads to warnings and potential instability as the kernel attempts to access CPU data beyond the actual CPU count. The warning is evidenced by kernel log messages indicating a CPU warning trace, including stack traces pointing to show_cpuinfo and related functions. The fix involves modifying the iteration logic to use nr_cpu_ids, thereby preventing the runtime warning and ensuring accurate CPU information reporting. This vulnerability is not associated with any known exploits in the wild and does not have a CVSS score assigned. It primarily affects Linux kernel versions compiled with the specified configuration options, which are typically used for debugging and development purposes rather than in standard production environments.
Potential Impact
For European organizations, the impact of this vulnerability is generally low. The issue manifests as a runtime warning rather than a security breach or system compromise. It does not allow for privilege escalation, code execution, or denial of service directly. However, in environments where kernel debugging features are enabled—such as development, testing, or specialized embedded systems—this warning could lead to confusion, increased log noise, or minor stability issues. In critical infrastructure or high-availability systems relying on customized kernels with these options enabled, the warning might complicate system monitoring or diagnostics. Since the vulnerability does not expose sensitive data or provide an attack vector, the confidentiality, integrity, and availability of systems are largely unaffected. Nonetheless, organizations should be aware of the potential for misleading kernel warnings that could mask other issues or complicate troubleshooting.
Mitigation Recommendations
To mitigate this issue, European organizations should: 1) Ensure Linux kernels are updated to versions where this vulnerability is fixed, specifically kernels that have adopted the patch replacing NR_CPUS with nr_cpu_ids in the show_cpuinfo function. 2) Review kernel configuration options and disable CONFIG_DEBUG_PER_CPU_MAPS and CONFIG_CPUMASK_OFFSTACK unless explicitly required for debugging or development, as these options are not commonly needed in production. 3) Implement rigorous kernel update policies to promptly apply security and stability patches. 4) Monitor kernel logs for warnings related to CPU information and investigate any anomalies to prevent misinterpretation of system health. 5) For custom or embedded Linux distributions, coordinate with vendors or maintainers to incorporate the fix in their kernel builds. 6) Educate system administrators about the nature of this warning to avoid unnecessary alarm and to focus on genuine security or stability issues.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-49034: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected, cpu_max_bits_warn() generates a runtime warning similar as below when showing /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS to iterate CPUs. [ 3.052463] ------------[ cut here ]------------ [ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 [ 3.070072] Modules linked in: efivarfs autofs4 [ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 [ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 [ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 [ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff [ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 [ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa [ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 [ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 [ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 [ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 [ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c [ 3.195868] ... [ 3.199917] Call Trace: [ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c [ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88 [ 3.217625] [<900000000023d268>] __warn+0xd0/0x100 [ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc [ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0 [ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4 [ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4 [ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0 [ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100 [ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94 [ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160 [ 3.281824] ---[ end trace 8b484262b4b8c24c ]---
AI-Powered Analysis
Technical Analysis
CVE-2022-49034 addresses a vulnerability in the Linux kernel related to the handling of CPU information display when specific kernel configuration options are enabled. The issue arises when both CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected in the kernel configuration. Under these conditions, the function cpu_max_bits_warn() generates a runtime warning during the display of /proc/cpuinfo, which is a virtual file providing detailed CPU information. The root cause is the use of a static constant NR_CPUS to iterate over CPUs instead of the runtime variable nr_cpu_ids, which reflects the actual number of CPUs present. This mismatch leads to warnings and potential instability as the kernel attempts to access CPU data beyond the actual CPU count. The warning is evidenced by kernel log messages indicating a CPU warning trace, including stack traces pointing to show_cpuinfo and related functions. The fix involves modifying the iteration logic to use nr_cpu_ids, thereby preventing the runtime warning and ensuring accurate CPU information reporting. This vulnerability is not associated with any known exploits in the wild and does not have a CVSS score assigned. It primarily affects Linux kernel versions compiled with the specified configuration options, which are typically used for debugging and development purposes rather than in standard production environments.
Potential Impact
For European organizations, the impact of this vulnerability is generally low. The issue manifests as a runtime warning rather than a security breach or system compromise. It does not allow for privilege escalation, code execution, or denial of service directly. However, in environments where kernel debugging features are enabled—such as development, testing, or specialized embedded systems—this warning could lead to confusion, increased log noise, or minor stability issues. In critical infrastructure or high-availability systems relying on customized kernels with these options enabled, the warning might complicate system monitoring or diagnostics. Since the vulnerability does not expose sensitive data or provide an attack vector, the confidentiality, integrity, and availability of systems are largely unaffected. Nonetheless, organizations should be aware of the potential for misleading kernel warnings that could mask other issues or complicate troubleshooting.
Mitigation Recommendations
To mitigate this issue, European organizations should: 1) Ensure Linux kernels are updated to versions where this vulnerability is fixed, specifically kernels that have adopted the patch replacing NR_CPUS with nr_cpu_ids in the show_cpuinfo function. 2) Review kernel configuration options and disable CONFIG_DEBUG_PER_CPU_MAPS and CONFIG_CPUMASK_OFFSTACK unless explicitly required for debugging or development, as these options are not commonly needed in production. 3) Implement rigorous kernel update policies to promptly apply security and stability patches. 4) Monitor kernel logs for warnings related to CPU information and investigate any anomalies to prevent misinterpretation of system health. 5) For custom or embedded Linux distributions, coordinate with vendors or maintainers to incorporate the fix in their kernel builds. 6) Educate system administrators about the nature of this warning to avoid unnecessary alarm and to focus on genuine security or stability issues.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.654Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe69b3
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 1:40:51 AM
Last updated: 8/14/2025, 10:01:39 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.