CVE-2022-48670
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's PECI (Platform Environment Control Interface) CPU driver. When auxiliary_device_add() fails, the adev_release() function incorrectly calls auxiliary_device_uninit() again, causing a refcount underflow and memory corruption. This affects Linux systems with PECI hardware support.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or potential privilege escalation leading to full system compromise.
Likely Case
System instability, kernel crashes, or denial of service conditions.
If Mitigated
Limited impact if PECI functionality is not used or systems are properly patched.
🎯 Exploit Status
Requires local access to trigger the specific error condition in auxiliary_device_add().
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 1c11289b34ab67ed080bbe0f1855c4938362d9cf and c87f1f99e26ea4ae08cabe753ae98e5626bdba89
Vendor Advisory: https://git.kernel.org/stable/c/1c11289b34ab67ed080bbe0f1855c4938362d9cf
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable PECI CPU driver
linuxPrevent loading of the vulnerable PECI CPU driver module
echo 'blacklist peci_cpu' >> /etc/modprobe.d/blacklist-peci.conf
rmmod peci_cpu
🧯 If You Can't Patch
- Ensure strict access controls to prevent unauthorized local users from accessing system
- Monitor for kernel panic/crash logs and implement system health monitoring
🔍 How to Verify
Check if Vulnerable:
Check if PECI CPU driver is loaded: lsmod | grep peci_cpu AND check kernel version against patched versionsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits and PECI driver functions normally if needed📡 Detection & Monitoring
Log Indicators:
- Kernel warnings about refcount underflow
- System crashes/panics related to PECI or auxiliary devices
Network Indicators:
- None - local vulnerability only
SIEM Query:
search 'refcount_t: underflow; use-after-free' OR 'WARNING.*refcount_warn_saturate' in kernel logs