CVE-2022-49096: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: sfc: add missing xdp queue reinitialization After rx/tx ring buffer size is changed, kernel panic occurs when it acts XDP_TX or XDP_REDIRECT. When tx/rx ring buffer size is changed(ethtool -G), sfc driver reallocates and reinitializes rx and tx queues and their buffer (tx_queue->buffer). But it misses reinitializing xdp queues(efx->xdp_tx_queues). So, while it is acting XDP_TX or XDP_REDIRECT, it uses the uninitialized tx_queue->buffer. A new function efx_set_xdp_channels() is separated from efx_set_channels() to handle only xdp queues. Splat looks like: BUG: kernel NULL pointer dereference, address: 000000000000002a #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#4] PREEMPT SMP NOPTI RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D 5.17.0+ #55 e8beeee8289528f11357029357cf Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80 RSP: 0018:ffff92f121e45c60 EFLAGS: 00010297 RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc] RAX: 0000000000000040 RBX: ffff92ea506895c0 RCX: ffffffffc0330870 RDX: 0000000000000001 RSI: 00000001139b10ce RDI: ffff92ea506895c0 RBP: ffffffffc0358a80 R08: 00000001139b110d R09: 0000000000000000 R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040 R13: 0000000000000018 R14: 00000001139b10ce R15: ffff92ea506895c0 FS: 0000000000000000(0000) GS:ffff92f121ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80 CR2: 000000000000002a CR3: 00000003e6810004 CR4: 00000000007706e0 RSP: 0018:ffff92f121e85c60 EFLAGS: 00010297 PKRU: 55555554 RAX: 0000000000000040 RBX: ffff92ea50689700 RCX: ffffffffc0330870 RDX: 0000000000000001 RSI: 00000001145a90ce RDI: ffff92ea50689700 RBP: ffffffffc0358a80 R08: 00000001145a910d R09: 0000000000000000 R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040 R13: 0000000000000018 R14: 00000001145a90ce R15: ffff92ea50689700 FS: 0000000000000000(0000) GS:ffff92f121e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000002a CR3: 00000003e6810005 CR4: 00000000007706e0 PKRU: 55555554 Call Trace: <IRQ> efx_xdp_tx_buffers+0x12b/0x3d0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] __efx_rx_packet+0x5c3/0x930 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] efx_rx_packet+0x28c/0x2e0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] efx_ef10_ev_process+0x5f8/0xf40 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] ? enqueue_task_fair+0x95/0x550 efx_poll+0xc4/0x360 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]
AI Analysis
Technical Summary
CVE-2022-49096 is a vulnerability in the Linux kernel's sfc network driver, which handles Solarflare network adapters. The issue arises when the transmit (tx) and receive (rx) ring buffer sizes are changed using the ethtool -G command. Normally, the sfc driver reallocates and reinitializes the rx and tx queues and their buffers accordingly. However, it fails to reinitialize the XDP (eXpress Data Path) queues, specifically the efx->xdp_tx_queues, which are used when the kernel operates in XDP_TX or XDP_REDIRECT modes. This omission leads to the use of uninitialized tx_queue->buffer memory during packet transmission or redirection, causing a kernel NULL pointer dereference and resulting in a kernel panic (system crash). The vulnerability manifests as a BUG in the kernel with a NULL pointer dereference at address 0x2a, as shown in the provided kernel oops logs. The fix involved separating the handling of XDP queues into a new function efx_set_xdp_channels(), ensuring proper reinitialization of these queues when ring buffer sizes change. This vulnerability affects Linux kernel versions containing the sfc driver with the specified commit hashes and was published on February 26, 2025. There are no known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the sfc driver managing Solarflare network adapters, especially those utilizing XDP features for high-performance packet processing. Exploitation leads to a kernel panic, causing denial of service (DoS) by crashing affected systems. This can disrupt critical network services, affecting availability and potentially leading to operational downtime. While the vulnerability does not directly allow privilege escalation or data leakage, the resulting instability can impact network infrastructure, servers, and cloud environments relying on affected hardware and kernel versions. Organizations using advanced networking features like XDP for packet filtering, load balancing, or DDoS mitigation may be particularly vulnerable. The lack of known exploits reduces immediate risk, but unpatched systems remain susceptible to accidental or malicious triggering of the bug, especially in environments where ring buffer sizes are dynamically adjusted.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2022-49096. Specifically, ensure that the sfc driver version includes the efx_set_xdp_channels() function that properly reinitializes XDP queues after ring buffer size changes. Until patches are applied, avoid changing tx/rx ring buffer sizes on systems using the sfc driver with XDP enabled. Network administrators should audit their infrastructure to identify servers and devices using Solarflare network adapters and verify kernel versions. Implement monitoring to detect kernel panics or crashes related to the sfc driver. For environments requiring dynamic ring buffer adjustments, consider temporarily disabling XDP features or migrating workloads to unaffected hardware. Additionally, maintain robust backup and recovery procedures to minimize downtime in case of crashes. Engage with Linux distribution vendors for timely security updates and apply them promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2022-49096: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: sfc: add missing xdp queue reinitialization After rx/tx ring buffer size is changed, kernel panic occurs when it acts XDP_TX or XDP_REDIRECT. When tx/rx ring buffer size is changed(ethtool -G), sfc driver reallocates and reinitializes rx and tx queues and their buffer (tx_queue->buffer). But it misses reinitializing xdp queues(efx->xdp_tx_queues). So, while it is acting XDP_TX or XDP_REDIRECT, it uses the uninitialized tx_queue->buffer. A new function efx_set_xdp_channels() is separated from efx_set_channels() to handle only xdp queues. Splat looks like: BUG: kernel NULL pointer dereference, address: 000000000000002a #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#4] PREEMPT SMP NOPTI RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D 5.17.0+ #55 e8beeee8289528f11357029357cf Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80 RSP: 0018:ffff92f121e45c60 EFLAGS: 00010297 RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc] RAX: 0000000000000040 RBX: ffff92ea506895c0 RCX: ffffffffc0330870 RDX: 0000000000000001 RSI: 00000001139b10ce RDI: ffff92ea506895c0 RBP: ffffffffc0358a80 R08: 00000001139b110d R09: 0000000000000000 R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040 R13: 0000000000000018 R14: 00000001139b10ce R15: ffff92ea506895c0 FS: 0000000000000000(0000) GS:ffff92f121ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80 CR2: 000000000000002a CR3: 00000003e6810004 CR4: 00000000007706e0 RSP: 0018:ffff92f121e85c60 EFLAGS: 00010297 PKRU: 55555554 RAX: 0000000000000040 RBX: ffff92ea50689700 RCX: ffffffffc0330870 RDX: 0000000000000001 RSI: 00000001145a90ce RDI: ffff92ea50689700 RBP: ffffffffc0358a80 R08: 00000001145a910d R09: 0000000000000000 R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040 R13: 0000000000000018 R14: 00000001145a90ce R15: ffff92ea50689700 FS: 0000000000000000(0000) GS:ffff92f121e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000002a CR3: 00000003e6810005 CR4: 00000000007706e0 PKRU: 55555554 Call Trace: <IRQ> efx_xdp_tx_buffers+0x12b/0x3d0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] __efx_rx_packet+0x5c3/0x930 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] efx_rx_packet+0x28c/0x2e0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] efx_ef10_ev_process+0x5f8/0xf40 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] ? enqueue_task_fair+0x95/0x550 efx_poll+0xc4/0x360 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]
AI-Powered Analysis
Technical Analysis
CVE-2022-49096 is a vulnerability in the Linux kernel's sfc network driver, which handles Solarflare network adapters. The issue arises when the transmit (tx) and receive (rx) ring buffer sizes are changed using the ethtool -G command. Normally, the sfc driver reallocates and reinitializes the rx and tx queues and their buffers accordingly. However, it fails to reinitialize the XDP (eXpress Data Path) queues, specifically the efx->xdp_tx_queues, which are used when the kernel operates in XDP_TX or XDP_REDIRECT modes. This omission leads to the use of uninitialized tx_queue->buffer memory during packet transmission or redirection, causing a kernel NULL pointer dereference and resulting in a kernel panic (system crash). The vulnerability manifests as a BUG in the kernel with a NULL pointer dereference at address 0x2a, as shown in the provided kernel oops logs. The fix involved separating the handling of XDP queues into a new function efx_set_xdp_channels(), ensuring proper reinitialization of these queues when ring buffer sizes change. This vulnerability affects Linux kernel versions containing the sfc driver with the specified commit hashes and was published on February 26, 2025. There are no known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the sfc driver managing Solarflare network adapters, especially those utilizing XDP features for high-performance packet processing. Exploitation leads to a kernel panic, causing denial of service (DoS) by crashing affected systems. This can disrupt critical network services, affecting availability and potentially leading to operational downtime. While the vulnerability does not directly allow privilege escalation or data leakage, the resulting instability can impact network infrastructure, servers, and cloud environments relying on affected hardware and kernel versions. Organizations using advanced networking features like XDP for packet filtering, load balancing, or DDoS mitigation may be particularly vulnerable. The lack of known exploits reduces immediate risk, but unpatched systems remain susceptible to accidental or malicious triggering of the bug, especially in environments where ring buffer sizes are dynamically adjusted.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2022-49096. Specifically, ensure that the sfc driver version includes the efx_set_xdp_channels() function that properly reinitializes XDP queues after ring buffer size changes. Until patches are applied, avoid changing tx/rx ring buffer sizes on systems using the sfc driver with XDP enabled. Network administrators should audit their infrastructure to identify servers and devices using Solarflare network adapters and verify kernel versions. Implement monitoring to detect kernel panics or crashes related to the sfc driver. For environments requiring dynamic ring buffer adjustments, consider temporarily disabling XDP features or migrating workloads to unaffected hardware. Additionally, maintain robust backup and recovery procedures to minimize downtime in case of crashes. Engage with Linux distribution vendors for timely security updates and apply them promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.249Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6b24
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 2:10:40 AM
Last updated: 7/28/2025, 7:52:08 AM
Views: 12
Related Threats
CVE-2025-2184: CWE-1392: Use of Default Credentials in Palo Alto Networks Cortex XDR Broker VM
MediumCVE-2025-2183: CWE-295 Improper Certificate Validation in Palo Alto Networks GlobalProtect App
MediumCVE-2025-2182: CWE-312 Cleartext Storage of Sensitive Information in Palo Alto Networks Cloud NGFW
MediumCVE-2025-2181: CWE-312 Cleartext Storage of Sensitive Information in Palo Alto Networks Checkov by Prisma Cloud
MediumCVE-2025-2180: CWE-502 Deserialization of Untrusted Data in Palo Alto Networks Checkov by Prisma Cloud
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.