Login Sign Up

CVE-2022-48726

7.8 HIGH
Denial of Service

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Linux kernel's RDMA/ucma subsystem that occurs during concurrent multicast leave operations. Attackers could potentially exploit this to cause kernel crashes or execute arbitrary code with kernel privileges. Systems using RDMA (Remote Direct Memory Access) with the ucma component are affected.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Linux kernel versions before the fix commits (specific versions vary by distribution, generally before kernel 5.16 with backports)
Operating Systems: Linux distributions with RDMA/ucma support enabled
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if RDMA subsystem is enabled and ucma component is in use. Many standard Linux installations don't have RDMA enabled by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential arbitrary code execution with kernel privileges resulting in complete system compromise.

🟠

Likely Case

Kernel crash leading to denial of service and system instability, requiring reboot to restore functionality.

🟢

If Mitigated

System remains stable with proper patching; unpatched systems may experience crashes under specific RDMA multicast operations.

🌐 Internet-Facing: LOW - RDMA typically requires local network access and specific configurations, rarely exposed directly to internet.
🏢 Internal Only: MEDIUM - Internal attackers with RDMA access could potentially trigger the vulnerability, but requires specific RDMA multicast operations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires RDMA access and ability to trigger concurrent multicast leave operations. The KASAN report suggests race condition exploitation is non-trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in Linux kernel commit 2923948ffe0835f7114e948b35bcc42bc9b3baa1 and backported to stable branches

Vendor Advisory: https://git.kernel.org/stable/c/2923948ffe0835f7114e948b35bcc42bc9b3baa1

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing fix commit 2923948ffe0835f7114e948b35bcc42bc9b3baa1
2. Check distribution-specific security advisories for backported patches
3. Reboot system after kernel update

🔧 Temporary Workarounds

Disable RDMA/ucma module

linux

Prevent loading of the vulnerable RDMA ucma module if not required

echo 'blacklist rdma_ucm' > /etc/modprobe.d/disable-rdma-ucm.conf
rmmod rdma_ucm

🧯 If You Can't Patch

  • Disable RDMA functionality if not required for system operation
  • Restrict RDMA access to trusted users and systems only

🔍 How to Verify

Check if Vulnerable:

Check if RDMA ucma module is loaded: lsmod | grep rdma_ucm
Check kernel version against distribution security advisories

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commit: grep -q '2923948ffe0835f7114e948b35bcc42bc9b3baa1' /proc/version || uname -r
Check with distribution package manager for applied security updates

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • KASAN use-after-free reports in dmesg
  • System crash/reboot events

Network Indicators:

  • Unusual RDMA multicast traffic patterns

SIEM Query:

EventID=41 OR Source="kernel" AND Message="KASAN: use-after-free" OR Message="BUG: KASAN"

📊 Metadata

CVE ID: CVE-2022-48726
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: June 20, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48726, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)