CVE-2022-49863 is a vulnerability in the Linux kernel's CAN (Controller Area Network) subsystem, specifically within the af_can module responsible for CAN socket operations. The flaw arises due to a NULL pointer dereference in the function can_rx_register(). The vulnerability manifests when a sequence of system calls is executed: first, a netlink socket is created; then, a bond link device and a vxcan link device are created and bound together; next, a CAN socket is created; finally, the bond device is bound to the CAN socket. During this process, the bond device invokes the can-raw protocol registration interface to receive CAN packets. However, the kernel fails to allocate the ml_priv structure to the device, resulting in the dev_rcv_lists pointer being set to NULL. When can_rx_register() attempts to access this NULL pointer, a kernel NULL pointer dereference occurs, leading to a kernel oops and potential system crash or denial of service. The stack trace indicates the fault occurs at can_rx_register+0x12d, triggered by raw_bind and subsequent socket bind system calls. This vulnerability affects multiple Linux kernel versions identified by specific commit hashes. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability requires local system calls to be executed in a specific order, implying that an attacker needs local access and the ability to create and bind CAN and netlink sockets. The issue impacts kernel stability and availability but does not directly indicate privilege escalation or data confidentiality compromise.

For European organizations, the impact of CVE-2022-49863 primarily concerns systems running Linux kernels with affected versions that utilize CAN networking features. CAN is widely used in automotive, industrial control systems, and embedded devices, which are prevalent in sectors such as manufacturing, automotive engineering, and critical infrastructure. A successful exploitation could cause kernel crashes leading to denial of service on affected devices, potentially disrupting operations in environments relying on CAN communication. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting system instability could affect availability of critical systems. Organizations deploying Linux-based embedded systems, IoT devices, or automotive control units in Europe should be particularly vigilant. Disruptions in industrial or automotive environments could have safety implications or cause operational downtime. Additionally, since exploitation requires local access and specific socket operations, the threat is more relevant to insiders or attackers with initial foothold rather than remote attackers without access.

To mitigate CVE-2022-49863, European organizations should: 1) Apply kernel patches or updates from Linux distributions as soon as they become available that address the NULL pointer dereference in can_rx_register(). 2) Restrict local user permissions to prevent unauthorized creation and binding of CAN and netlink sockets, limiting access to trusted users and processes only. 3) Monitor systems for unusual socket creation or binding activities related to CAN interfaces, which may indicate attempts to exploit this vulnerability. 4) In environments where CAN networking is not required, consider disabling the af_can module or related CAN socket functionalities to reduce the attack surface. 5) For embedded or automotive Linux systems, coordinate with vendors to ensure firmware updates include the fix. 6) Implement robust system integrity and availability monitoring to detect kernel crashes or oops events promptly. 7) Conduct internal audits to identify systems running vulnerable kernel versions and prioritize patching based on criticality and exposure.