What is CVE-2022-48850?

CVE-2022-48850 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10, classified as a NULL Pointer Dereference flaw (CWE-476). CVE-2022-48850 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2022-48850?

CVE-2022-48850 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2022-48850?

No patch is currently available for CVE-2022-48850. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2022-48850 actively exploited?

CVE-2022-48850 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is NULL Pointer Dereference (CWE-476)?

The product dereferences a pointer that it expects to be valid but is NULL, typically causing a crash. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/476.html

CVE-2022-48850

Medium

In the Linux kernel, the following vulnerability has been resolved: net-sysfs: add check for netdevice being present to speed_show When bringing down the netdevice or system shutdown, a panic can be triggered while accessing the sysfs path because the device is already removed. [ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called [ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called ... [ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null) [ 758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280 crash> bt ... PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: "amsd" ... #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778 [exception RIP: dma_pool_alloc+0x1ab] RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046 RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000 RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090 RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00 R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0 R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core] #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core] #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core] #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core] #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core] #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core] #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core] #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46 #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208 #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3 #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596 #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10 #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5 #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92 crash> net_device.state ffff89443b0c0000 state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER) To prevent this scenario, we also make sure that the netdevice is present.

Package Linux Kernel

Published 2024-07-16

Last modified 2024-11-21

CVSS version 3.1

Patch available

Awaiting data

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-476

CVE-2022-48850 is a NULL Pointer Dereference vulnerability

What is NULL Pointer Dereference?

The product dereferences a pointer that it expects to be valid but is NULL, typically causing a crash. Learn more on MITRE CWE

References

The following references provide additional information about CVE-2022-48850 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/081369ad088a76429984483b8a5f7e967a125aad
Patch
Kernel patch commit
https://git.kernel.org/stable/c/3a79f380b3e10edf6caa9aac90163a5d7a282204
Patch
Kernel patch commit
https://git.kernel.org/stable/c/4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624
Patch

8 patch commits total View all on NVD

Details

CVE ID CVE-2022-48850

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2024-07-16

Modified 2024-11-21

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2022-48850?

CVE-2022-48850 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 , classified as a NULL Pointer Dereference flaw (CWE-476) . CVE-2022-48850 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2022-48850?

CVE-2022-48850 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2022-48850?

No patch is currently available for CVE-2022-48850. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2022-48850 actively exploited?

No — CVE-2022-48850 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is NULL Pointer Dereference (CWE-476)?

The product dereferences a pointer that it expects to be valid but is NULL, typically causing a crash. View CWE-476 on MITRE CWE →