CVE-2022-49703 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2022-49703?

CVE-2022-49703 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's ibmvfc SCSI driver allows a crash during kexec/kdump operations on Power 9 systems with legacy XICS interrupt controllers. This can cause kernel panics and system instability, primarily affecting Linux systems running on IBM Power 9 hardware with specific interrupt controller configurations.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's ibmvfc SCSI driver allows a crash during kexec/kdump operations on Power 9 systems with legacy XICS interrupt controllers. This can cause kernel panics and system instability, primarily affecting Linux systems running on IBM Power 9 hardware with specific interrupt controller configurations.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions containing the vulnerable ibmvfc driver code prior to the fix commits

Operating Systems: Linux distributions running on IBM Power 9 hardware

Default Config Vulnerable: ✅ No

Notes: Only affects systems with: 1) IBM Power 9 hardware, 2) Legacy XICS interrupt controller, 3) ibmvfc SCSI driver loaded, 4) During kexec/kdump operations

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially disrupting critical operations during kexec/kdump scenarios.

🟠

Likely Case

System crash during kexec/kdump operations on vulnerable Power 9 systems, causing downtime and failed crash dump collection.

🟢

If Mitigated

No impact if systems are patched or don't use the vulnerable configuration.

🌐 Internet-Facing: LOW - Requires local access and specific hardware/configuration.

🏢 Internal Only: MEDIUM - Affects Power 9 servers running vulnerable Linux kernels during maintenance/reboot operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires specific hardware configuration and timing during kexec/kdump operations. No known public exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 6d38e3b614ded59da8b95377a98df969a5a5627a, 8540f66196ca35b7b5e902932571c18b9fde0cd1, aeaadcde1a60138bceb65de3cdaeec78170b4459

Vendor Advisory: https://git.kernel.org/stable/c/6d38e3b614ded59da8b95377a98df969a5a5627a

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify ibmvfc driver version includes the fix.

🔧 Temporary Workarounds

Disable ibmvfc driver

linux

Prevent loading of vulnerable ibmvfc driver if not required

echo 'blacklist ibmvfc' >> /etc/modprobe.d/blacklist.conf
rmmod ibmvfc

Use modern interrupt controller

linux

Configure system to use XIVE instead of legacy XICS interrupt controller

Add 'xive=on' to kernel boot parameters in GRUB configuration

🧯 If You Can't Patch

Avoid kexec/kdump operations on vulnerable Power 9 systems
Ensure proper backup and recovery procedures for systems that might crash during maintenance

🔍 How to Verify

Check if Vulnerable:

Check if running on Power 9 hardware with: cat /proc/cpuinfo | grep -i power9 && check if ibmvfc module is loaded: lsmod | grep ibmvfc

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix commits: git log --oneline | grep -E '6d38e3b|8540f66|aeaadcd'

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages mentioning ibmvfc_interrupt_scsi
NULL pointer dereference errors at address 0x58
Oops messages with ibmvfc in call trace

Network Indicators:

None - local kernel vulnerability

SIEM Query:

source="kernel" AND ("ibmvfc" OR "NULL pointer dereference" OR "Oops: Kernel access of bad area")

📊 Metadata

CVE ID: CVE-2022-49703

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.03% exploit probability (7.9th percentile)

Published: February 26, 2025

Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49703, you might also want to check these: