CVE-2022-49691: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: erspan: do not assume transport header is always set Rewrite tests in ip6erspan_tunnel_xmit() and erspan_fb_xmit() to not assume transport header is set. syzbot reported: WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 skb_transport_header include/linux/skbuff.h:2911 [inline] WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963 Modules linked in: CPU: 0 PID: 1350 Comm: aoe_tx0 Not tainted 5.19.0-rc2-syzkaller-00160-g274295c6e53f #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:skb_transport_header include/linux/skbuff.h:2911 [inline] RIP: 0010:ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963 Code: 0f 47 f0 40 88 b5 7f fe ff ff e8 8c 16 4b f9 89 de bf ff ff ff ff e8 a0 12 4b f9 66 83 fb ff 0f 85 1d f1 ff ff e8 71 16 4b f9 <0f> 0b e9 43 f0 ff ff e8 65 16 4b f9 48 8d 85 30 ff ff ff ba 60 00 RSP: 0018:ffffc90005daf910 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000 RDX: ffff88801f032100 RSI: ffffffff882e8d3f RDI: 0000000000000003 RBP: ffffc90005dafab8 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000000 R12: ffff888024f21d40 R13: 000000000000a288 R14: 00000000000000b0 R15: ffff888025a2e000 FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e425000 CR3: 000000006d099000 CR4: 0000000000152ef0 Call Trace: <TASK> __netdev_start_xmit include/linux/netdevice.h:4805 [inline] netdev_start_xmit include/linux/netdevice.h:4819 [inline] xmit_one net/core/dev.c:3588 [inline] dev_hard_start_xmit+0x188/0x880 net/core/dev.c:3604 sch_direct_xmit+0x19f/0xbe0 net/sched/sch_generic.c:342 __dev_xmit_skb net/core/dev.c:3815 [inline] __dev_queue_xmit+0x14a1/0x3900 net/core/dev.c:4219 dev_queue_xmit include/linux/netdevice.h:2994 [inline] tx+0x6a/0xc0 drivers/block/aoe/aoenet.c:63 kthread+0x1e7/0x3b0 drivers/block/aoe/aoecmd.c:1229 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 </TASK>
AI Analysis
Technical Summary
CVE-2022-49691 is a vulnerability identified in the Linux kernel, specifically related to the handling of ERSPAN (Encapsulated Remote Switched Port Analyzer) tunnels within the IPv6 GRE (Generic Routing Encapsulation) networking code. The vulnerability arises from incorrect assumptions in the kernel code about the presence of the transport header in network packets during the execution of the ip6erspan_tunnel_xmit() and erspan_fb_xmit() functions. These functions are responsible for transmitting ERSPAN tunneled packets over IPv6 networks. The flaw was detected by syzbot, an automated kernel fuzzing tool, which reported warnings indicating that the skb_transport_header pointer was being accessed without verifying its validity. This can lead to kernel warnings or potentially kernel crashes (kernel oops) due to dereferencing a null or invalid pointer. The root cause is that the code assumed the transport header was always set in the socket buffer (skb) structure, which is not guaranteed. The fix involved rewriting the tests in the affected functions to properly check for the presence of the transport header before accessing it. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using ERSPAN tunnels over IPv6, which are commonly used for network traffic monitoring and analysis in complex network environments. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability does not require user interaction but does require the ability to send specially crafted ERSPAN packets to the vulnerable system to trigger the issue. The impact is primarily on system stability and availability due to potential kernel crashes or denial of service conditions.
Potential Impact
For European organizations, the impact of CVE-2022-49691 could be significant in environments where Linux-based systems are used as network infrastructure components, especially those leveraging ERSPAN tunnels for network monitoring, traffic analysis, or security inspection. A successful exploitation could cause kernel panics or crashes, leading to denial of service on critical network devices or servers. This could disrupt business operations, degrade network performance, and impact services relying on continuous network availability. Organizations in sectors such as telecommunications, finance, government, and critical infrastructure that rely heavily on Linux networking capabilities might face operational risks. Additionally, if attackers combine this vulnerability with other exploits, it could be part of a broader attack strategy to destabilize network monitoring or security tools, potentially masking other malicious activities. However, since no known exploits are currently reported, the immediate risk is moderate but should be addressed proactively to prevent future exploitation.
Mitigation Recommendations
To mitigate CVE-2022-49691, European organizations should: 1) Apply the latest Linux kernel patches as soon as they become available from trusted sources or Linux distribution vendors, ensuring that the fixes for the ERSPAN transport header handling are included. 2) Audit network infrastructure to identify systems using ERSPAN tunnels over IPv6 and prioritize patching on these devices. 3) Implement network segmentation and strict ingress filtering to limit exposure to potentially malicious ERSPAN packets, reducing the attack surface. 4) Monitor kernel logs and system behavior for unusual warnings or crashes related to skb_transport_header or ERSPAN functionality to detect potential exploitation attempts early. 5) Employ intrusion detection systems (IDS) or network anomaly detection tools capable of recognizing malformed or suspicious ERSPAN traffic. 6) Consider temporarily disabling ERSPAN tunneling if it is not essential to operations until patches are applied. 7) Maintain a robust backup and recovery plan for critical Linux systems to minimize downtime in case of exploitation. These steps go beyond generic advice by focusing on the specific network feature (ERSPAN over IPv6) and kernel-level monitoring.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-49691: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: erspan: do not assume transport header is always set Rewrite tests in ip6erspan_tunnel_xmit() and erspan_fb_xmit() to not assume transport header is set. syzbot reported: WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 skb_transport_header include/linux/skbuff.h:2911 [inline] WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963 Modules linked in: CPU: 0 PID: 1350 Comm: aoe_tx0 Not tainted 5.19.0-rc2-syzkaller-00160-g274295c6e53f #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:skb_transport_header include/linux/skbuff.h:2911 [inline] RIP: 0010:ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963 Code: 0f 47 f0 40 88 b5 7f fe ff ff e8 8c 16 4b f9 89 de bf ff ff ff ff e8 a0 12 4b f9 66 83 fb ff 0f 85 1d f1 ff ff e8 71 16 4b f9 <0f> 0b e9 43 f0 ff ff e8 65 16 4b f9 48 8d 85 30 ff ff ff ba 60 00 RSP: 0018:ffffc90005daf910 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000 RDX: ffff88801f032100 RSI: ffffffff882e8d3f RDI: 0000000000000003 RBP: ffffc90005dafab8 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000000 R12: ffff888024f21d40 R13: 000000000000a288 R14: 00000000000000b0 R15: ffff888025a2e000 FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e425000 CR3: 000000006d099000 CR4: 0000000000152ef0 Call Trace: <TASK> __netdev_start_xmit include/linux/netdevice.h:4805 [inline] netdev_start_xmit include/linux/netdevice.h:4819 [inline] xmit_one net/core/dev.c:3588 [inline] dev_hard_start_xmit+0x188/0x880 net/core/dev.c:3604 sch_direct_xmit+0x19f/0xbe0 net/sched/sch_generic.c:342 __dev_xmit_skb net/core/dev.c:3815 [inline] __dev_queue_xmit+0x14a1/0x3900 net/core/dev.c:4219 dev_queue_xmit include/linux/netdevice.h:2994 [inline] tx+0x6a/0xc0 drivers/block/aoe/aoenet.c:63 kthread+0x1e7/0x3b0 drivers/block/aoe/aoecmd.c:1229 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2022-49691 is a vulnerability identified in the Linux kernel, specifically related to the handling of ERSPAN (Encapsulated Remote Switched Port Analyzer) tunnels within the IPv6 GRE (Generic Routing Encapsulation) networking code. The vulnerability arises from incorrect assumptions in the kernel code about the presence of the transport header in network packets during the execution of the ip6erspan_tunnel_xmit() and erspan_fb_xmit() functions. These functions are responsible for transmitting ERSPAN tunneled packets over IPv6 networks. The flaw was detected by syzbot, an automated kernel fuzzing tool, which reported warnings indicating that the skb_transport_header pointer was being accessed without verifying its validity. This can lead to kernel warnings or potentially kernel crashes (kernel oops) due to dereferencing a null or invalid pointer. The root cause is that the code assumed the transport header was always set in the socket buffer (skb) structure, which is not guaranteed. The fix involved rewriting the tests in the affected functions to properly check for the presence of the transport header before accessing it. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using ERSPAN tunnels over IPv6, which are commonly used for network traffic monitoring and analysis in complex network environments. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability does not require user interaction but does require the ability to send specially crafted ERSPAN packets to the vulnerable system to trigger the issue. The impact is primarily on system stability and availability due to potential kernel crashes or denial of service conditions.
Potential Impact
For European organizations, the impact of CVE-2022-49691 could be significant in environments where Linux-based systems are used as network infrastructure components, especially those leveraging ERSPAN tunnels for network monitoring, traffic analysis, or security inspection. A successful exploitation could cause kernel panics or crashes, leading to denial of service on critical network devices or servers. This could disrupt business operations, degrade network performance, and impact services relying on continuous network availability. Organizations in sectors such as telecommunications, finance, government, and critical infrastructure that rely heavily on Linux networking capabilities might face operational risks. Additionally, if attackers combine this vulnerability with other exploits, it could be part of a broader attack strategy to destabilize network monitoring or security tools, potentially masking other malicious activities. However, since no known exploits are currently reported, the immediate risk is moderate but should be addressed proactively to prevent future exploitation.
Mitigation Recommendations
To mitigate CVE-2022-49691, European organizations should: 1) Apply the latest Linux kernel patches as soon as they become available from trusted sources or Linux distribution vendors, ensuring that the fixes for the ERSPAN transport header handling are included. 2) Audit network infrastructure to identify systems using ERSPAN tunnels over IPv6 and prioritize patching on these devices. 3) Implement network segmentation and strict ingress filtering to limit exposure to potentially malicious ERSPAN packets, reducing the attack surface. 4) Monitor kernel logs and system behavior for unusual warnings or crashes related to skb_transport_header or ERSPAN functionality to detect potential exploitation attempts early. 5) Employ intrusion detection systems (IDS) or network anomaly detection tools capable of recognizing malformed or suspicious ERSPAN traffic. 6) Consider temporarily disabling ERSPAN tunneling if it is not essential to operations until patches are applied. 7) Maintain a robust backup and recovery plan for critical Linux systems to minimize downtime in case of exploitation. These steps go beyond generic advice by focusing on the specific network feature (ERSPAN over IPv6) and kernel-level monitoring.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.442Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4853
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 12:12:01 AM
Last updated: 8/11/2025, 12:02:47 PM
Views: 12
Related Threats
CVE-2025-9025: SQL Injection in code-projects Simple Cafe Ordering System
MediumCVE-2025-9024: SQL Injection in PHPGurukul Beauty Parlour Management System
MediumCVE-2025-9023: Buffer Overflow in Tenda AC7
HighCVE-2025-8905: CWE-94 Improper Control of Generation of Code ('Code Injection') in inpersttion Inpersttion For Theme
MediumCVE-2025-8720: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in morehawes Plugin README Parser
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.