CVE-2022-49520: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall If a compat process tries to execute an unknown system call above the __ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the offending process. Information about the error is printed to dmesg in compat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() -> arm64_show_signal(). arm64_show_signal() interprets a non-zero value for current->thread.fault_code as an exception syndrome and displays the message associated with the ESR_ELx.EC field (bits 31:26). current->thread.fault_code is set in compat_arm_syscall() -> arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx value. This means that the ESR_ELx.EC field has the value that the user set for the syscall number and the kernel can end up printing bogus exception messages*. For example, for the syscall number 0x68000000, which evaluates to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error: [ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000] [ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79 [ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which is misleading, as the bad compat syscall has nothing to do with pointer authentication. Stop arm64_show_signal() from printing exception syndrome information by having compat_arm_syscall() set the ESR_ELx value to 0, as it has no meaning for an invalid system call number. The example above now becomes: [ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000] [ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80 [ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which although shows less information because the syscall number, wrongfully advertised as the ESR value, is missing, it is better than showing plainly wrong information. The syscall number can be easily obtained with strace. *A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative integer in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END evaluates to true; the syscall will exit to userspace in this case with the ENOSYS error code instead of arm64_notify_die() being called.
AI Analysis
Technical Summary
CVE-2022-49520 is a vulnerability in the Linux kernel specifically affecting the arm64 architecture's compatibility syscall handling. The issue arises when a 32-bit compat process attempts to execute an unknown or invalid system call number above the defined __ARM_NR_COMPAT_END threshold. Instead of properly handling this invalid syscall, the kernel incorrectly treats the syscall number as an exception syndrome register (ESR_ELx) value. This leads to misleading error messages being printed to the kernel log (dmesg), suggesting erroneous exception causes such as pointer authentication faults, which are unrelated to the actual invalid syscall. The root cause is that the kernel sets the fault_code field to the invalid syscall number rather than zero or a valid ESR_ELx value. This causes arm64_show_signal() to interpret and display bogus exception information. The vulnerability does not allow privilege escalation or direct exploitation but results in confusing diagnostic output that can mislead system administrators and developers during debugging or incident response. The fix involves modifying compat_arm_syscall() to set the ESR_ELx value to zero when an invalid syscall is detected, preventing the printing of incorrect exception syndrome information. This change improves the accuracy and clarity of kernel logs when invalid syscalls occur. The vulnerability affects Linux kernel versions prior to the fix and is specific to arm64 architectures running 32-bit compatibility mode processes. There are no known exploits in the wild, and the issue primarily impacts diagnostic clarity rather than system security or stability directly.
Potential Impact
For European organizations, the direct security impact of CVE-2022-49520 is low since it does not enable privilege escalation, code execution, or denial of service. However, the misleading kernel log messages can complicate incident response and troubleshooting efforts on affected arm64 Linux systems. Organizations relying on arm64 servers or embedded devices running 32-bit compatibility mode may experience confusion when diagnosing system faults or security incidents, potentially delaying remediation. This could be particularly relevant for sectors with critical infrastructure or industrial control systems using arm64 Linux platforms. Misinterpretation of kernel logs could lead to misallocated resources or overlooked real issues. The impact is more operational and diagnostic rather than a direct threat to confidentiality, integrity, or availability. Nonetheless, maintaining accurate and trustworthy system logs is important for compliance and security monitoring in European regulatory environments such as GDPR and NIS Directive.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49520 as soon as they become available for your distribution or kernel version. 2. For organizations using custom or embedded arm64 Linux kernels, backport the fix to your kernel branch to ensure accurate syscall error reporting. 3. Educate system administrators and security teams about this issue to prevent misinterpretation of kernel logs related to invalid syscalls on arm64 compat processes. 4. Use additional diagnostic tools such as strace to accurately identify invalid syscalls rather than relying solely on kernel log messages. 5. Monitor kernel logs for suspicious or unexpected syscall activity and correlate with other security telemetry to avoid false positives caused by this vulnerability. 6. Where possible, minimize the use of 32-bit compatibility mode on arm64 systems to reduce exposure to this and similar issues. 7. Maintain up-to-date documentation and incident response playbooks that reflect this vulnerability's nature to improve troubleshooting efficiency.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2022-49520: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall If a compat process tries to execute an unknown system call above the __ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the offending process. Information about the error is printed to dmesg in compat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() -> arm64_show_signal(). arm64_show_signal() interprets a non-zero value for current->thread.fault_code as an exception syndrome and displays the message associated with the ESR_ELx.EC field (bits 31:26). current->thread.fault_code is set in compat_arm_syscall() -> arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx value. This means that the ESR_ELx.EC field has the value that the user set for the syscall number and the kernel can end up printing bogus exception messages*. For example, for the syscall number 0x68000000, which evaluates to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error: [ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000] [ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79 [ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which is misleading, as the bad compat syscall has nothing to do with pointer authentication. Stop arm64_show_signal() from printing exception syndrome information by having compat_arm_syscall() set the ESR_ELx value to 0, as it has no meaning for an invalid system call number. The example above now becomes: [ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000] [ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80 [ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which although shows less information because the syscall number, wrongfully advertised as the ESR value, is missing, it is better than showing plainly wrong information. The syscall number can be easily obtained with strace. *A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative integer in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END evaluates to true; the syscall will exit to userspace in this case with the ENOSYS error code instead of arm64_notify_die() being called.
AI-Powered Analysis
Technical Analysis
CVE-2022-49520 is a vulnerability in the Linux kernel specifically affecting the arm64 architecture's compatibility syscall handling. The issue arises when a 32-bit compat process attempts to execute an unknown or invalid system call number above the defined __ARM_NR_COMPAT_END threshold. Instead of properly handling this invalid syscall, the kernel incorrectly treats the syscall number as an exception syndrome register (ESR_ELx) value. This leads to misleading error messages being printed to the kernel log (dmesg), suggesting erroneous exception causes such as pointer authentication faults, which are unrelated to the actual invalid syscall. The root cause is that the kernel sets the fault_code field to the invalid syscall number rather than zero or a valid ESR_ELx value. This causes arm64_show_signal() to interpret and display bogus exception information. The vulnerability does not allow privilege escalation or direct exploitation but results in confusing diagnostic output that can mislead system administrators and developers during debugging or incident response. The fix involves modifying compat_arm_syscall() to set the ESR_ELx value to zero when an invalid syscall is detected, preventing the printing of incorrect exception syndrome information. This change improves the accuracy and clarity of kernel logs when invalid syscalls occur. The vulnerability affects Linux kernel versions prior to the fix and is specific to arm64 architectures running 32-bit compatibility mode processes. There are no known exploits in the wild, and the issue primarily impacts diagnostic clarity rather than system security or stability directly.
Potential Impact
For European organizations, the direct security impact of CVE-2022-49520 is low since it does not enable privilege escalation, code execution, or denial of service. However, the misleading kernel log messages can complicate incident response and troubleshooting efforts on affected arm64 Linux systems. Organizations relying on arm64 servers or embedded devices running 32-bit compatibility mode may experience confusion when diagnosing system faults or security incidents, potentially delaying remediation. This could be particularly relevant for sectors with critical infrastructure or industrial control systems using arm64 Linux platforms. Misinterpretation of kernel logs could lead to misallocated resources or overlooked real issues. The impact is more operational and diagnostic rather than a direct threat to confidentiality, integrity, or availability. Nonetheless, maintaining accurate and trustworthy system logs is important for compliance and security monitoring in European regulatory environments such as GDPR and NIS Directive.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49520 as soon as they become available for your distribution or kernel version. 2. For organizations using custom or embedded arm64 Linux kernels, backport the fix to your kernel branch to ensure accurate syscall error reporting. 3. Educate system administrators and security teams about this issue to prevent misinterpretation of kernel logs related to invalid syscalls on arm64 compat processes. 4. Use additional diagnostic tools such as strace to accurately identify invalid syscalls rather than relying solely on kernel log messages. 5. Monitor kernel logs for suspicious or unexpected syscall activity and correlate with other security telemetry to avoid false positives caused by this vulnerability. 6. Where possible, minimize the use of 32-bit compatibility mode on arm64 systems to reduce exposure to this and similar issues. 7. Maintain up-to-date documentation and incident response playbooks that reflect this vulnerability's nature to improve troubleshooting efficiency.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.588Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5cc6
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 5:29:36 PM
Last updated: 7/31/2025, 8:24:04 PM
Views: 12
Related Threats
CVE-2025-6572: CWE-79 Cross-Site Scripting (XSS) in OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer)
HighCVE-2025-54959: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Mubit co.,ltd. Powered BLUE 870
MediumCVE-2025-54958: Improper neutralization of special elements used in an OS command ('OS Command Injection') in Mubit co.,ltd. Powered BLUE 870
MediumCVE-2025-54940: Code injection in WPEngine, Inc. Advanced Custom Fields
LowCVE-2025-8708: Deserialization in Antabot White-Jotter
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.