CVE-2022-49888: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arm64: entry: avoid kprobe recursion The cortex_a76_erratum_1463225_debug_handler() function is called when handling debug exceptions (and synchronous exceptions from BRK instructions), and so is called when a probed function executes. If the compiler does not inline cortex_a76_erratum_1463225_debug_handler(), it can be probed. If cortex_a76_erratum_1463225_debug_handler() is probed, any debug exception or software breakpoint exception will result in recursive exceptions leading to a stack overflow. This can be triggered with the ftrace multiple_probes selftest, and as per the example splat below. This is a regression caused by commit: 6459b8469753e9fe ("arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround") ... which removed the NOKPROBE_SYMBOL() annotation associated with the function. My intent was that cortex_a76_erratum_1463225_debug_handler() would be inlined into its caller, el1_dbg(), which is marked noinstr and cannot be probed. Mark cortex_a76_erratum_1463225_debug_handler() as __always_inline to ensure this. Example splat prior to this patch (with recursive entries elided): | # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events | # echo p do_el0_svc >> /sys/kernel/debug/tracing/kprobe_events | # echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable | Insufficient stack space to handle exception! | ESR: 0x0000000096000047 -- DABT (current EL) | FAR: 0xffff800009cefff0 | Task stack: [0xffff800009cf0000..0xffff800009cf4000] | IRQ stack: [0xffff800008000000..0xffff800008004000] | Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0] | CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2 | Hardware name: linux,dummy-virt (DT) | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : arm64_enter_el1_dbg+0x4/0x20 | lr : el1_dbg+0x24/0x5c | sp : ffff800009cf0000 | x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000 | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 | x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068 | x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000 | x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 | x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 | x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0 | x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000 | x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4 | x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040 | Kernel panic - not syncing: kernel stack overflow | CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2 | Hardware name: linux,dummy-virt (DT) | Call trace: | dump_backtrace+0xe4/0x104 | show_stack+0x18/0x4c | dump_stack_lvl+0x64/0x7c | dump_stack+0x18/0x38 | panic+0x14c/0x338 | test_taint+0x0/0x2c | panic_bad_stack+0x104/0x118 | handle_bad_stack+0x34/0x48 | __bad_stack+0x78/0x7c | arm64_enter_el1_dbg+0x4/0x20 | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | cortex_a76_erratum_1463225_debug_handler+0x0/0x34 ... | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | cortex_a76_erratum_1463225_debug_handler+0x0/0x34 ... | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | cortex_a76_erratum_1463225_debug_handler+0x0/0x34 | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | do_el0_svc+0x0/0x28 | el0t_64_sync_handler+0x84/0xf0 | el0t_64_sync+0x18c/0x190 | Kernel Offset: disabled | CPU features: 0x0080,00005021,19001080 | Memory Limit: none | ---[ end Kernel panic - not syncing: kernel stack overflow ]--- With this patch, cortex_a76_erratum_1463225_debug_handler() is inlined into el1_dbg(), and el1_dbg() cannot be probed: | # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events | sh: write error: No such file or directory | # grep -w cortex_a76_errat ---truncated---
AI Analysis
Technical Summary
CVE-2022-49888 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture, related to the handling of debug exceptions on Cortex-A76 processors. The issue arises from a regression introduced by a kernel commit that removed the NOKPROBE_SYMBOL() annotation from the function cortex_a76_erratum_1463225_debug_handler(). This function is responsible for handling debug exceptions and synchronous exceptions triggered by BRK instructions. The vulnerability manifests when this function is probed using kprobes, a Linux kernel debugging mechanism. If the function is not inlined by the compiler as intended, it becomes probeable, which leads to recursive debug exceptions when a breakpoint or debug exception occurs. This recursion causes a stack overflow, resulting in a kernel panic and system crash. The vulnerability can be triggered by the ftrace multiple_probes selftest, demonstrating that it is exploitable under certain debugging conditions. The root cause is that cortex_a76_erratum_1463225_debug_handler() was expected to be always inlined into its caller el1_dbg(), which is marked noinstr and cannot be probed, but the removal of the NOKPROBE_SYMBOL() annotation allowed it to be probed directly. The fix involves marking the function as __always_inline to ensure it cannot be probed independently, thus preventing recursive exceptions and stack overflow. This vulnerability affects Linux kernel versions containing the specific commit 6459b8469753e9feaa8b34691d097cffad905931 and impacts systems running on ARM64 Cortex-A76 CPUs. It is a low-level kernel issue tied to debugging infrastructure and CPU erratum workarounds.
Potential Impact
For European organizations, the impact of CVE-2022-49888 depends largely on the deployment of Linux systems running on ARM64 Cortex-A76 processors, which are common in certain embedded systems, servers, and cloud infrastructure. The vulnerability can cause kernel panics and system crashes when debug probes are used, potentially leading to denial of service (DoS) conditions. While exploitation requires the ability to insert kprobes on the vulnerable function, which typically requires privileged access, an attacker or misconfigured debugging environment could trigger system instability or outages. This could disrupt critical services, especially in sectors relying on ARM64-based Linux servers or embedded devices such as telecommunications, industrial control systems, or cloud providers using ARM-based infrastructure. The vulnerability does not appear to allow privilege escalation or code execution beyond causing a kernel stack overflow and panic. However, the resulting DoS could impact availability of services and systems, leading to operational disruptions and potential financial or reputational damage. Since the vulnerability is tied to debugging mechanisms, it is less likely to be exploited remotely without prior access, but insider threats or compromised administrators could leverage it. The lack of known exploits in the wild reduces immediate risk, but organizations should remain vigilant.
Mitigation Recommendations
To mitigate CVE-2022-49888, organizations should ensure that their Linux kernel versions are updated to include the patch that marks cortex_a76_erratum_1463225_debug_handler() as __always_inline, preventing it from being probed and thus avoiding recursive exceptions. Kernel upgrades should be prioritized on ARM64 Cortex-A76 systems, especially those used in production or critical environments. Additionally, restrict and monitor the use of kprobes and other kernel debugging tools to trusted administrators only, as misuse or unauthorized access could trigger the vulnerability. Implement strict access controls and auditing on /sys/kernel/debug/tracing interfaces to prevent unauthorized probe insertion. For environments where kernel upgrades are delayed, consider disabling or limiting kernel debugging features if feasible, to reduce attack surface. Regularly review kernel logs and system behavior for signs of kernel panics or stack overflows that could indicate attempts to exploit this vulnerability. Collaborate with hardware and OS vendors to ensure timely patch deployment and verify that ARM64-based systems are running supported and updated kernel versions. Finally, incorporate this vulnerability into incident response and vulnerability management workflows to ensure rapid detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Ireland
CVE-2022-49888: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arm64: entry: avoid kprobe recursion The cortex_a76_erratum_1463225_debug_handler() function is called when handling debug exceptions (and synchronous exceptions from BRK instructions), and so is called when a probed function executes. If the compiler does not inline cortex_a76_erratum_1463225_debug_handler(), it can be probed. If cortex_a76_erratum_1463225_debug_handler() is probed, any debug exception or software breakpoint exception will result in recursive exceptions leading to a stack overflow. This can be triggered with the ftrace multiple_probes selftest, and as per the example splat below. This is a regression caused by commit: 6459b8469753e9fe ("arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround") ... which removed the NOKPROBE_SYMBOL() annotation associated with the function. My intent was that cortex_a76_erratum_1463225_debug_handler() would be inlined into its caller, el1_dbg(), which is marked noinstr and cannot be probed. Mark cortex_a76_erratum_1463225_debug_handler() as __always_inline to ensure this. Example splat prior to this patch (with recursive entries elided): | # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events | # echo p do_el0_svc >> /sys/kernel/debug/tracing/kprobe_events | # echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable | Insufficient stack space to handle exception! | ESR: 0x0000000096000047 -- DABT (current EL) | FAR: 0xffff800009cefff0 | Task stack: [0xffff800009cf0000..0xffff800009cf4000] | IRQ stack: [0xffff800008000000..0xffff800008004000] | Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0] | CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2 | Hardware name: linux,dummy-virt (DT) | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : arm64_enter_el1_dbg+0x4/0x20 | lr : el1_dbg+0x24/0x5c | sp : ffff800009cf0000 | x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000 | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 | x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068 | x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000 | x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 | x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 | x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0 | x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000 | x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4 | x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040 | Kernel panic - not syncing: kernel stack overflow | CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2 | Hardware name: linux,dummy-virt (DT) | Call trace: | dump_backtrace+0xe4/0x104 | show_stack+0x18/0x4c | dump_stack_lvl+0x64/0x7c | dump_stack+0x18/0x38 | panic+0x14c/0x338 | test_taint+0x0/0x2c | panic_bad_stack+0x104/0x118 | handle_bad_stack+0x34/0x48 | __bad_stack+0x78/0x7c | arm64_enter_el1_dbg+0x4/0x20 | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | cortex_a76_erratum_1463225_debug_handler+0x0/0x34 ... | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | cortex_a76_erratum_1463225_debug_handler+0x0/0x34 ... | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | cortex_a76_erratum_1463225_debug_handler+0x0/0x34 | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | do_el0_svc+0x0/0x28 | el0t_64_sync_handler+0x84/0xf0 | el0t_64_sync+0x18c/0x190 | Kernel Offset: disabled | CPU features: 0x0080,00005021,19001080 | Memory Limit: none | ---[ end Kernel panic - not syncing: kernel stack overflow ]--- With this patch, cortex_a76_erratum_1463225_debug_handler() is inlined into el1_dbg(), and el1_dbg() cannot be probed: | # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events | sh: write error: No such file or directory | # grep -w cortex_a76_errat ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49888 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture, related to the handling of debug exceptions on Cortex-A76 processors. The issue arises from a regression introduced by a kernel commit that removed the NOKPROBE_SYMBOL() annotation from the function cortex_a76_erratum_1463225_debug_handler(). This function is responsible for handling debug exceptions and synchronous exceptions triggered by BRK instructions. The vulnerability manifests when this function is probed using kprobes, a Linux kernel debugging mechanism. If the function is not inlined by the compiler as intended, it becomes probeable, which leads to recursive debug exceptions when a breakpoint or debug exception occurs. This recursion causes a stack overflow, resulting in a kernel panic and system crash. The vulnerability can be triggered by the ftrace multiple_probes selftest, demonstrating that it is exploitable under certain debugging conditions. The root cause is that cortex_a76_erratum_1463225_debug_handler() was expected to be always inlined into its caller el1_dbg(), which is marked noinstr and cannot be probed, but the removal of the NOKPROBE_SYMBOL() annotation allowed it to be probed directly. The fix involves marking the function as __always_inline to ensure it cannot be probed independently, thus preventing recursive exceptions and stack overflow. This vulnerability affects Linux kernel versions containing the specific commit 6459b8469753e9feaa8b34691d097cffad905931 and impacts systems running on ARM64 Cortex-A76 CPUs. It is a low-level kernel issue tied to debugging infrastructure and CPU erratum workarounds.
Potential Impact
For European organizations, the impact of CVE-2022-49888 depends largely on the deployment of Linux systems running on ARM64 Cortex-A76 processors, which are common in certain embedded systems, servers, and cloud infrastructure. The vulnerability can cause kernel panics and system crashes when debug probes are used, potentially leading to denial of service (DoS) conditions. While exploitation requires the ability to insert kprobes on the vulnerable function, which typically requires privileged access, an attacker or misconfigured debugging environment could trigger system instability or outages. This could disrupt critical services, especially in sectors relying on ARM64-based Linux servers or embedded devices such as telecommunications, industrial control systems, or cloud providers using ARM-based infrastructure. The vulnerability does not appear to allow privilege escalation or code execution beyond causing a kernel stack overflow and panic. However, the resulting DoS could impact availability of services and systems, leading to operational disruptions and potential financial or reputational damage. Since the vulnerability is tied to debugging mechanisms, it is less likely to be exploited remotely without prior access, but insider threats or compromised administrators could leverage it. The lack of known exploits in the wild reduces immediate risk, but organizations should remain vigilant.
Mitigation Recommendations
To mitigate CVE-2022-49888, organizations should ensure that their Linux kernel versions are updated to include the patch that marks cortex_a76_erratum_1463225_debug_handler() as __always_inline, preventing it from being probed and thus avoiding recursive exceptions. Kernel upgrades should be prioritized on ARM64 Cortex-A76 systems, especially those used in production or critical environments. Additionally, restrict and monitor the use of kprobes and other kernel debugging tools to trusted administrators only, as misuse or unauthorized access could trigger the vulnerability. Implement strict access controls and auditing on /sys/kernel/debug/tracing interfaces to prevent unauthorized probe insertion. For environments where kernel upgrades are delayed, consider disabling or limiting kernel debugging features if feasible, to reduce attack surface. Regularly review kernel logs and system behavior for signs of kernel panics or stack overflows that could indicate attempts to exploit this vulnerability. Collaborate with hardware and OS vendors to ensure timely patch deployment and verify that ARM64-based systems are running supported and updated kernel versions. Finally, incorporate this vulnerability into incident response and vulnerability management workflows to ensure rapid detection and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.242Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3f6a
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 8:24:34 PM
Last updated: 8/13/2025, 6:01:25 AM
Views: 12
Related Threats
CVE-2025-8932: SQL Injection in 1000 Projects Sales Management System
MediumCVE-2025-8931: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-8930: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.