CVE-2022-49065: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix the svc_deferred_event trace class Fix a NULL deref crash that occurs when an svc_rqst is deferred while the sunrpc tracing subsystem is enabled. svc_revisit() sets dr->xprt to NULL, so it can't be relied upon in the tracepoint to provide the remote's address. Unfortunately we can't revert the "svc_deferred_class" hunk in commit ece200ddd54b ("sunrpc: Save remote presentation address in svc_xprt for trace events") because there is now a specific check of event format specifiers for unsafe dereferences. The warning that check emits is: event svc_defer_recv has unsafe dereference of argument 1 A "%pISpc" format specifier with a "struct sockaddr *" is indeed flagged by this check. Instead, take the brute-force approach used by the svcrdma_qp_error tracepoint. Convert the dr::addr field into a presentation address in the TP_fast_assign() arm of the trace event, and store that as a string. This fix can be backported to -stable kernels. In the meantime, commit c6ced22997ad ("tracing: Update print fmt check to handle new __get_sockaddr() macro") is now in v5.18, so this wonky fix can be replaced with __sockaddr() and friends properly during the v5.19 merge window.
AI Analysis
Technical Summary
CVE-2022-49065 is a vulnerability identified in the Linux kernel's SUNRPC (Sun Remote Procedure Call) subsystem, specifically related to the svc_deferred_event trace class. The issue arises when an svc_rqst (service request) is deferred while the sunrpc tracing subsystem is enabled, leading to a NULL pointer dereference crash. This occurs because the function svc_revisit() sets the dr->xprt pointer to NULL, which is then improperly accessed in the tracepoint code to retrieve the remote address. The vulnerability is rooted in unsafe dereferencing of a struct sockaddr pointer within the tracepoint's event format specifiers, flagged by kernel tracing format checks. The fix involves converting the dr::addr field into a presentation address string during the TP_fast_assign() phase of the trace event, avoiding direct dereferencing of a potentially NULL pointer. This approach is a workaround until a more elegant fix using the __sockaddr() macro is integrated in kernel version 5.19. The vulnerability can cause a kernel crash (NULL pointer dereference), leading to denial of service conditions on affected Linux systems running vulnerable kernel versions. The issue affects specific commits identified by the hash ece200ddd54b9ce840cfee554fb812560c545c7d and is relevant to stable kernel branches where the SUNRPC tracing subsystem is enabled. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. The vulnerability is technical and requires kernel-level tracing features to be enabled, which may limit exposure to certain environments where tracing is actively used for debugging or monitoring RPC calls.
Potential Impact
For European organizations, the primary impact of CVE-2022-49065 is the potential for denial of service due to kernel crashes on Linux systems utilizing the SUNRPC tracing subsystem. This could affect critical infrastructure, servers, and networked applications relying on Linux kernels with the vulnerable commits, especially those using RPC services extensively. Organizations running high-availability services or cloud infrastructure with Linux kernels that have tracing enabled could experience service interruptions. While the vulnerability does not appear to allow privilege escalation or remote code execution, the denial of service impact could disrupt business operations, particularly in sectors such as telecommunications, finance, government, and cloud service providers where Linux is prevalent. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to maintain system stability and reliability. Additionally, the requirement for tracing to be enabled means that many default Linux installations may not be vulnerable unless tracing features are explicitly activated.
Mitigation Recommendations
European organizations should apply the available patches or kernel updates that address this vulnerability as soon as they are released. Specifically, updating to Linux kernel versions that include the fix converting dr::addr to a presentation string in the tracepoint assignment is critical. For environments where kernel tracing is not required, disabling the sunrpc tracing subsystem can mitigate exposure. System administrators should audit their kernel configurations to verify if tracing is enabled and assess the necessity of this feature. In production environments, thorough testing of kernel updates should be conducted to ensure stability. Monitoring kernel logs for svc_deferred_event related errors or crashes can help detect attempts to trigger this vulnerability. Additionally, organizations should maintain robust backup and recovery procedures to minimize downtime in case of crashes. Given the technical nature of the fix, collaboration with Linux distribution vendors to obtain backported patches for stable kernel versions is recommended to ensure timely remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-49065: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix the svc_deferred_event trace class Fix a NULL deref crash that occurs when an svc_rqst is deferred while the sunrpc tracing subsystem is enabled. svc_revisit() sets dr->xprt to NULL, so it can't be relied upon in the tracepoint to provide the remote's address. Unfortunately we can't revert the "svc_deferred_class" hunk in commit ece200ddd54b ("sunrpc: Save remote presentation address in svc_xprt for trace events") because there is now a specific check of event format specifiers for unsafe dereferences. The warning that check emits is: event svc_defer_recv has unsafe dereference of argument 1 A "%pISpc" format specifier with a "struct sockaddr *" is indeed flagged by this check. Instead, take the brute-force approach used by the svcrdma_qp_error tracepoint. Convert the dr::addr field into a presentation address in the TP_fast_assign() arm of the trace event, and store that as a string. This fix can be backported to -stable kernels. In the meantime, commit c6ced22997ad ("tracing: Update print fmt check to handle new __get_sockaddr() macro") is now in v5.18, so this wonky fix can be replaced with __sockaddr() and friends properly during the v5.19 merge window.
AI-Powered Analysis
Technical Analysis
CVE-2022-49065 is a vulnerability identified in the Linux kernel's SUNRPC (Sun Remote Procedure Call) subsystem, specifically related to the svc_deferred_event trace class. The issue arises when an svc_rqst (service request) is deferred while the sunrpc tracing subsystem is enabled, leading to a NULL pointer dereference crash. This occurs because the function svc_revisit() sets the dr->xprt pointer to NULL, which is then improperly accessed in the tracepoint code to retrieve the remote address. The vulnerability is rooted in unsafe dereferencing of a struct sockaddr pointer within the tracepoint's event format specifiers, flagged by kernel tracing format checks. The fix involves converting the dr::addr field into a presentation address string during the TP_fast_assign() phase of the trace event, avoiding direct dereferencing of a potentially NULL pointer. This approach is a workaround until a more elegant fix using the __sockaddr() macro is integrated in kernel version 5.19. The vulnerability can cause a kernel crash (NULL pointer dereference), leading to denial of service conditions on affected Linux systems running vulnerable kernel versions. The issue affects specific commits identified by the hash ece200ddd54b9ce840cfee554fb812560c545c7d and is relevant to stable kernel branches where the SUNRPC tracing subsystem is enabled. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet. The vulnerability is technical and requires kernel-level tracing features to be enabled, which may limit exposure to certain environments where tracing is actively used for debugging or monitoring RPC calls.
Potential Impact
For European organizations, the primary impact of CVE-2022-49065 is the potential for denial of service due to kernel crashes on Linux systems utilizing the SUNRPC tracing subsystem. This could affect critical infrastructure, servers, and networked applications relying on Linux kernels with the vulnerable commits, especially those using RPC services extensively. Organizations running high-availability services or cloud infrastructure with Linux kernels that have tracing enabled could experience service interruptions. While the vulnerability does not appear to allow privilege escalation or remote code execution, the denial of service impact could disrupt business operations, particularly in sectors such as telecommunications, finance, government, and cloud service providers where Linux is prevalent. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to maintain system stability and reliability. Additionally, the requirement for tracing to be enabled means that many default Linux installations may not be vulnerable unless tracing features are explicitly activated.
Mitigation Recommendations
European organizations should apply the available patches or kernel updates that address this vulnerability as soon as they are released. Specifically, updating to Linux kernel versions that include the fix converting dr::addr to a presentation string in the tracepoint assignment is critical. For environments where kernel tracing is not required, disabling the sunrpc tracing subsystem can mitigate exposure. System administrators should audit their kernel configurations to verify if tracing is enabled and assess the necessity of this feature. In production environments, thorough testing of kernel updates should be conducted to ensure stability. Monitoring kernel logs for svc_deferred_event related errors or crashes can help detect attempts to trigger this vulnerability. Additionally, organizations should maintain robust backup and recovery procedures to minimize downtime in case of crashes. Given the technical nature of the fix, collaboration with Linux distribution vendors to obtain backported patches for stable kernel versions is recommended to ensure timely remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.244Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6a43
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 1:54:37 AM
Last updated: 7/30/2025, 3:24:09 AM
Views: 10
Related Threats
CVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumCVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalCVE-2025-8675: CWE-918 Server-Side Request Forgery (SSRF) in Drupal AI SEO Link Advisor
MediumCVE-2025-8362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal GoogleTag Manager
MediumCVE-2025-8361: CWE-962 Missing Authorization in Drupal Config Pages
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.