Login Sign Up

CVE-2022-48954

7.8 HIGH
Denial of Service

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's s390/qeth driver that occurs during bridge-to-device event handling. An attacker could potentially exploit this to cause kernel memory corruption, leading to system crashes or arbitrary code execution. Systems running Linux kernel versions with the vulnerable qeth driver on s390 architecture are affected.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Linux kernel versions before the fix commits (specific versions vary by distribution)
Operating Systems: Linux distributions running on s390/s390x architecture
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with the qeth network driver loaded, typically on IBM Z/s390x systems. The vulnerability is triggered during bridge-to-device event processing.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to denial of service, or potential arbitrary code execution with kernel privileges resulting in complete system compromise.

🟠

Likely Case

System crash or kernel panic causing denial of service, requiring system reboot to restore functionality.

🟢

If Mitigated

No impact if the vulnerable driver is not loaded or if the system is patched.

🌐 Internet-Facing: LOW - This requires local access or network access to trigger bridge events.
🏢 Internal Only: MEDIUM - Internal attackers with network access could potentially trigger the vulnerability through bridge configuration changes.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires triggering specific bridge network events. The vulnerability was discovered through KASAN testing, suggesting it may be difficult to reliably exploit for arbitrary code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits bde0dfc7c456, db6343a5b0d9, and ebaaadc332cd

Vendor Advisory: https://git.kernel.org/stable/c/bde0dfc7c4569406a6ddeec363d04a1df7b3073f

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Unload qeth driver

linux

Remove the vulnerable qeth driver module if not required for system operation

modprobe -r qeth_l2
modprobe -r qeth

Disable bridge events

linux

Prevent bridge-to-device events that trigger the vulnerability

echo 0 > /sys/class/net/<bridge>/bridge/group_fwd_mask
bridge link set dev <interface> guard off

🧯 If You Can't Patch

  • Restrict network bridge configuration to trusted users only
  • Implement network segmentation to limit bridge event exposure

🔍 How to Verify

Check if Vulnerable:

Check if qeth driver is loaded: lsmod | grep qeth. Check kernel version against patched versions.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits: uname -r. Check /proc/version for commit hashes.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • KASAN reports of use-after-free in qeth_l2_br2dev_worker
  • System crash/reboot events

Network Indicators:

  • Unusual bridge configuration changes
  • Multiple bridge FDB (Forwarding Database) updates

SIEM Query:

event.category:kernel AND (qeth_l2_br2dev_worker OR "use-after-free")

📊 Metadata

CVE ID: CVE-2022-48954
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: October 21, 2024
Last Updated: October 24, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48954, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)