CVE-2022-49812: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bridge: switchdev: Fix memory leaks when changing VLAN protocol The bridge driver can offload VLANs to the underlying hardware either via switchdev or the 8021q driver. When the former is used, the VLAN is marked in the bridge driver with the 'BR_VLFLAG_ADDED_BY_SWITCHDEV' private flag. To avoid the memory leaks mentioned in the cited commit, the bridge driver will try to delete a VLAN via the 8021q driver if the VLAN is not marked with the previously mentioned flag. When the VLAN protocol of the bridge changes, switchdev drivers are notified via the 'SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL' attribute, but the 8021q driver is also called to add the existing VLANs with the new protocol and delete them with the old protocol. In case the VLANs were offloaded via switchdev, the above behavior is both redundant and buggy. Redundant because the VLANs are already programmed in hardware and drivers that support VLAN protocol change (currently only mlx5) change the protocol upon the switchdev attribute notification. Buggy because the 8021q driver is called despite these VLANs being marked with 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. This leads to memory leaks [1] when the VLANs are deleted. Fix by not calling the 8021q driver for VLANs that were already programmed via switchdev. [1] unreferenced object 0xffff8881f6771200 (size 256): comm "ip", pid 446855, jiffies 4298238841 (age 55.240s) hex dump (first 32 bytes): 00 00 7f 0e 83 88 ff ff 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000012819ac>] vlan_vid_add+0x437/0x750 [<00000000f2281fad>] __br_vlan_set_proto+0x289/0x920 [<000000000632b56f>] br_changelink+0x3d6/0x13f0 [<0000000089d25f04>] __rtnl_newlink+0x8ae/0x14c0 [<00000000f6276baf>] rtnl_newlink+0x5f/0x90 [<00000000746dc902>] rtnetlink_rcv_msg+0x336/0xa00 [<000000001c2241c0>] netlink_rcv_skb+0x11d/0x340 [<0000000010588814>] netlink_unicast+0x438/0x710 [<00000000e1a4cd5c>] netlink_sendmsg+0x788/0xc40 [<00000000e8992d4e>] sock_sendmsg+0xb0/0xe0 [<00000000621b8f91>] ____sys_sendmsg+0x4ff/0x6d0 [<000000000ea26996>] ___sys_sendmsg+0x12e/0x1b0 [<00000000684f7e25>] __sys_sendmsg+0xab/0x130 [<000000004538b104>] do_syscall_64+0x3d/0x90 [<0000000091ed9678>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
AI Analysis
Technical Summary
CVE-2022-49812 is a vulnerability in the Linux kernel's bridge driver related to VLAN (Virtual LAN) protocol handling when using switchdev offloading. The Linux bridge driver can offload VLAN processing to underlying hardware via either switchdev or the 8021q driver. When VLANs are offloaded via switchdev, they are marked with a private flag 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. The vulnerability arises when the VLAN protocol of the bridge changes. In this scenario, the switchdev drivers are notified to update the VLAN protocol, and the 8021q driver is also called to add and delete VLANs with the new and old protocols respectively. However, for VLANs offloaded via switchdev, calling the 8021q driver is redundant and buggy because these VLANs are already programmed in hardware and the switchdev drivers (e.g., mlx5) handle protocol changes internally. This redundant call leads to memory leaks as the 8021q driver attempts to delete VLANs marked as added by switchdev, causing unreferenced objects in kernel memory. The fix involves modifying the bridge driver to avoid calling the 8021q driver for VLANs already programmed via switchdev, thus preventing memory leaks. Although this vulnerability does not appear to allow direct code execution or privilege escalation, it can degrade system stability and reliability by leaking kernel memory during VLAN protocol changes on bridges using switchdev offloading. The issue is specific to Linux kernel versions incorporating the affected bridge driver code and hardware supporting switchdev offloading (notably Mellanox mlx5 drivers). No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or enterprise networks relying on Linux-based systems with advanced networking features such as VLAN offloading via switchdev, this vulnerability could lead to memory leaks in kernel space. Over time, these leaks may cause system instability, degraded network performance, or crashes, impacting availability of critical network services. Organizations using hardware with mlx5 or similar switchdev-capable drivers are particularly at risk. This could affect telecom providers, cloud service providers, financial institutions, and large enterprises that rely on Linux bridges for network segmentation and traffic isolation. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact could disrupt business operations and service continuity. Additionally, memory leaks in kernel space can complicate troubleshooting and increase maintenance overhead. Given the widespread use of Linux in European IT infrastructure, the vulnerability poses a moderate operational risk until patched.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is fixed, ensuring the bridge driver no longer calls the 8021q driver for VLANs offloaded via switchdev. Specifically, kernel updates that include the patch for CVE-2022-49812 should be applied promptly. Network administrators should audit their infrastructure to identify systems using switchdev offloading, particularly those with Mellanox mlx5 hardware or similar. If immediate patching is not feasible, temporarily disabling VLAN offloading via switchdev on affected systems can mitigate memory leak risks, though this may impact network performance. Monitoring kernel logs for memory leak indicators and unusual bridge behavior can help detect exploitation attempts or system degradation. Incorporating these checks into routine system health monitoring and incident response plans will enhance resilience. Finally, coordinating with hardware vendors and Linux distribution maintainers to receive timely patches and advisories is critical for ongoing protection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49812: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bridge: switchdev: Fix memory leaks when changing VLAN protocol The bridge driver can offload VLANs to the underlying hardware either via switchdev or the 8021q driver. When the former is used, the VLAN is marked in the bridge driver with the 'BR_VLFLAG_ADDED_BY_SWITCHDEV' private flag. To avoid the memory leaks mentioned in the cited commit, the bridge driver will try to delete a VLAN via the 8021q driver if the VLAN is not marked with the previously mentioned flag. When the VLAN protocol of the bridge changes, switchdev drivers are notified via the 'SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL' attribute, but the 8021q driver is also called to add the existing VLANs with the new protocol and delete them with the old protocol. In case the VLANs were offloaded via switchdev, the above behavior is both redundant and buggy. Redundant because the VLANs are already programmed in hardware and drivers that support VLAN protocol change (currently only mlx5) change the protocol upon the switchdev attribute notification. Buggy because the 8021q driver is called despite these VLANs being marked with 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. This leads to memory leaks [1] when the VLANs are deleted. Fix by not calling the 8021q driver for VLANs that were already programmed via switchdev. [1] unreferenced object 0xffff8881f6771200 (size 256): comm "ip", pid 446855, jiffies 4298238841 (age 55.240s) hex dump (first 32 bytes): 00 00 7f 0e 83 88 ff ff 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000012819ac>] vlan_vid_add+0x437/0x750 [<00000000f2281fad>] __br_vlan_set_proto+0x289/0x920 [<000000000632b56f>] br_changelink+0x3d6/0x13f0 [<0000000089d25f04>] __rtnl_newlink+0x8ae/0x14c0 [<00000000f6276baf>] rtnl_newlink+0x5f/0x90 [<00000000746dc902>] rtnetlink_rcv_msg+0x336/0xa00 [<000000001c2241c0>] netlink_rcv_skb+0x11d/0x340 [<0000000010588814>] netlink_unicast+0x438/0x710 [<00000000e1a4cd5c>] netlink_sendmsg+0x788/0xc40 [<00000000e8992d4e>] sock_sendmsg+0xb0/0xe0 [<00000000621b8f91>] ____sys_sendmsg+0x4ff/0x6d0 [<000000000ea26996>] ___sys_sendmsg+0x12e/0x1b0 [<00000000684f7e25>] __sys_sendmsg+0xab/0x130 [<000000004538b104>] do_syscall_64+0x3d/0x90 [<0000000091ed9678>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
AI-Powered Analysis
Technical Analysis
CVE-2022-49812 is a vulnerability in the Linux kernel's bridge driver related to VLAN (Virtual LAN) protocol handling when using switchdev offloading. The Linux bridge driver can offload VLAN processing to underlying hardware via either switchdev or the 8021q driver. When VLANs are offloaded via switchdev, they are marked with a private flag 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. The vulnerability arises when the VLAN protocol of the bridge changes. In this scenario, the switchdev drivers are notified to update the VLAN protocol, and the 8021q driver is also called to add and delete VLANs with the new and old protocols respectively. However, for VLANs offloaded via switchdev, calling the 8021q driver is redundant and buggy because these VLANs are already programmed in hardware and the switchdev drivers (e.g., mlx5) handle protocol changes internally. This redundant call leads to memory leaks as the 8021q driver attempts to delete VLANs marked as added by switchdev, causing unreferenced objects in kernel memory. The fix involves modifying the bridge driver to avoid calling the 8021q driver for VLANs already programmed via switchdev, thus preventing memory leaks. Although this vulnerability does not appear to allow direct code execution or privilege escalation, it can degrade system stability and reliability by leaking kernel memory during VLAN protocol changes on bridges using switchdev offloading. The issue is specific to Linux kernel versions incorporating the affected bridge driver code and hardware supporting switchdev offloading (notably Mellanox mlx5 drivers). No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or enterprise networks relying on Linux-based systems with advanced networking features such as VLAN offloading via switchdev, this vulnerability could lead to memory leaks in kernel space. Over time, these leaks may cause system instability, degraded network performance, or crashes, impacting availability of critical network services. Organizations using hardware with mlx5 or similar switchdev-capable drivers are particularly at risk. This could affect telecom providers, cloud service providers, financial institutions, and large enterprises that rely on Linux bridges for network segmentation and traffic isolation. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact could disrupt business operations and service continuity. Additionally, memory leaks in kernel space can complicate troubleshooting and increase maintenance overhead. Given the widespread use of Linux in European IT infrastructure, the vulnerability poses a moderate operational risk until patched.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is fixed, ensuring the bridge driver no longer calls the 8021q driver for VLANs offloaded via switchdev. Specifically, kernel updates that include the patch for CVE-2022-49812 should be applied promptly. Network administrators should audit their infrastructure to identify systems using switchdev offloading, particularly those with Mellanox mlx5 hardware or similar. If immediate patching is not feasible, temporarily disabling VLAN offloading via switchdev on affected systems can mitigate memory leak risks, though this may impact network performance. Monitoring kernel logs for memory leak indicators and unusual bridge behavior can help detect exploitation attempts or system degradation. Incorporating these checks into routine system health monitoring and incident response plans will enhance resilience. Finally, coordinating with hardware vendors and Linux distribution maintainers to receive timely patches and advisories is critical for ongoing protection.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.226Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4cb9
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 1:56:11 AM
Last updated: 8/12/2025, 10:13:48 PM
Views: 15
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.