What is the severity of CVE-2022-48976?

CVE-2022-48976 is classified as a medium severity vulnerability impacting the Linux kernel.

How do I fix CVE-2022-48976?

To fix CVE-2022-48976, update your Linux kernel to a version beyond the affected versions listed in the advisory.

Which Linux kernel versions are affected by CVE-2022-48976?

CVE-2022-48976 affects Linux kernel versions from 5.15.157 to 6.0.13 and various 6.11 release candidates.

What components are impacted by CVE-2022-48976?

CVE-2022-48976 impacts the netfilter flowtable offload component of the Linux kernel.

Is CVE-2022-48976 exploitable remotely?

CVE-2022-48976 does not appear to be remotely exploitable, but could affect systems with untrusted network traffic.

Vulnerability/
CVE-2022-48976

medium

5.5

21/10/2024

19/12/2024

CVE-2022-48976: netfilter: flowtable_offload: fix using __this_cpu_add in preemptible

First published: Mon Oct 21 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable_offload: fix using __this_cpu_add in preemptible flow_offload_queue_work() can be called in workqueue without bh disabled, like the call trace showed in my act_ct testing, calling NF_FLOW_TABLE_STAT_INC() there would cause a call trace: BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560 caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table] Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct] Call Trace: <TASK> dump_stack_lvl+0x33/0x46 check_preemption_disabled+0xc3/0xf0 flow_offload_queue_work+0xec/0x1b0 [nf_flow_table] nf_flow_table_iterate+0x138/0x170 [nf_flow_table] nf_flow_table_free+0x140/0x1a0 [nf_flow_table] tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct] process_one_work+0x6a3/0x1030 worker_thread+0x8a/0xdf0 This patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC() instead in flow_offload_queue_work(). Note that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(), it may not be called in preemptible path, but it's good to use NF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in flow_offload_queue_work().

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected Software	Affected Version	How to fix
Linux Kernel	>=5.15.157<6.0.13
Linux Kernel	=6.11-rc1
Linux Kernel	=6.11-rc2
Linux Kernel	=6.11-rc3
Linux Kernel	=6.11-rc4
Linux Kernel	=6.11-rc5
Linux Kernel	=6.11-rc6
Linux Kernel	=6.11-rc7
Linux Kernel	=6.11-rc8

Remedy

https://git.kernel.org/stable/c/a220a11fda012fba506b35929672374c2723ae6d

Remedy

https://git.kernel.org/stable/c/a81047154e7ce4eb8769d5d21adcbc9693542a79

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-48976?
CVE-2022-48976 is classified as a medium severity vulnerability impacting the Linux kernel.
How do I fix CVE-2022-48976?
To fix CVE-2022-48976, update your Linux kernel to a version beyond the affected versions listed in the advisory.
Which Linux kernel versions are affected by CVE-2022-48976?
CVE-2022-48976 affects Linux kernel versions from 5.15.157 to 6.0.13 and various 6.11 release candidates.
What components are impacted by CVE-2022-48976?
CVE-2022-48976 impacts the netfilter flowtable offload component of the Linux kernel.
Is CVE-2022-48976 exploitable remotely?
CVE-2022-48976 does not appear to be remotely exploitable, but could affect systems with untrusted network traffic.

agent/references
agent/title
agent/type
agent/description
agent/first-publish-date
agent/author
agent/event
agent/severity
agent/remedy
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/linux
canonical/linux kernel
version/linux kernel/5.15.157
version/linux kernel/6.11-rc1
version/linux kernel/6.11-rc2
version/linux kernel/6.11-rc3
version/linux kernel/6.11-rc4
version/linux kernel/6.11-rc5
version/linux kernel/6.11-rc6
version/linux kernel/6.11-rc7
version/linux kernel/6.11-rc8

Frequently Asked Questions

What is the severity of CVE-2022-48976?
CVE-2022-48976 is classified as a medium severity vulnerability impacting the Linux kernel.
How do I fix CVE-2022-48976?
To fix CVE-2022-48976, update your Linux kernel to a version beyond the affected versions listed in the advisory.
Which Linux kernel versions are affected by CVE-2022-48976?
CVE-2022-48976 affects Linux kernel versions from 5.15.157 to 6.0.13 and various 6.11 release candidates.
What components are impacted by CVE-2022-48976?
CVE-2022-48976 impacts the netfilter flowtable offload component of the Linux kernel.
Is CVE-2022-48976 exploitable remotely?
CVE-2022-48976 does not appear to be remotely exploitable, but could affect systems with untrusted network traffic.

CVE-2022-48976: netfilter: flowtable_offload: fix using __this_cpu_add in preemptible

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-48976?

How do I fix CVE-2022-48976?

Which Linux kernel versions are affected by CVE-2022-48976?

What components are impacted by CVE-2022-48976?

Is CVE-2022-48976 exploitable remotely?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2022-48976?

How do I fix CVE-2022-48976?

Which Linux kernel versions are affected by CVE-2022-48976?

What components are impacted by CVE-2022-48976?

Is CVE-2022-48976 exploitable remotely?