CVE-2022-49692: net: phy: at803x: fix NULL pointer dereference on AR9331 PHY
First published: Wed Feb 26 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: net: phy: at803x: fix NULL pointer dereference on AR9331 PHY Latest kernel will explode on the PHY interrupt config, since it depends now on allocated priv. So, run probe to allocate priv to fix it. ar9331_switch ethernet.1:10 lan0 (uninitialized): PHY [!ahb!ethernet@1a000000!mdio!switch@10:00] driver [Qualcomm Atheros AR9331 built-in PHY] (irq=13) CPU 0 Unable to handle kernel paging request at virtual address 0000000a, epc == 8050e8a8, ra == 80504b34 ... Call Trace: [<8050e8a8>] at803x_config_intr+0x5c/0xd0 [<80504b34>] phy_request_interrupt+0xa8/0xd0 [<8050289c>] phylink_bringup_phy+0x2d8/0x3ac [<80502b68>] phylink_fwnode_phy_connect+0x118/0x130 [<8074d8ec>] dsa_slave_create+0x270/0x420 [<80743b04>] dsa_port_setup+0x12c/0x148 [<8074580c>] dsa_register_switch+0xaf0/0xcc0 [<80511344>] ar9331_sw_probe+0x370/0x388 [<8050cb78>] mdio_probe+0x44/0x70 [<804df300>] really_probe+0x200/0x424 [<804df7b4>] __driver_probe_device+0x290/0x298 [<804df810>] driver_probe_device+0x54/0xe4 [<804dfd50>] __device_attach_driver+0xe4/0x130 [<804dcb00>] bus_for_each_drv+0xb4/0xd8 [<804dfac4>] __device_attach+0x104/0x1a4 [<804ddd24>] bus_probe_device+0x48/0xc4 [<804deb44>] deferred_probe_work_func+0xf0/0x10c [<800a0ffc>] process_one_work+0x314/0x4d4 [<800a17fc>] worker_thread+0x2a4/0x354 [<800a9a54>] kthread+0x134/0x13c [<8006306c>] ret_from_kernel_thread+0x14/0x1c Same Issue would affect some other PHYs (QCA8081, QCA9561), so fix it too.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| Linux Kernel | >=5.18<5.18.8 | |
| Linux Kernel | =5.19-rc1 | |
| Linux Kernel | =5.19-rc2 | |
| Linux Kernel | =5.19-rc3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-49692?
CVE-2022-49692 has a severity level that is typically classified as medium due to the potential for a NULL pointer dereference leading to instability.
How do I fix CVE-2022-49692?
To fix CVE-2022-49692, ensure you update to a patched version of the Linux kernel that resolves the NULL pointer dereference issue.
Which versions of the Linux kernel are affected by CVE-2022-49692?
CVE-2022-49692 affects Linux kernel versions prior to 5.19-rc1, including those in the 5.18.x range.
What does CVE-2022-49692 affect specifically within the Linux kernel?
CVE-2022-49692 specifically affects the PHY interrupt configuration in the Linux kernel's handling of the at803x driver.
Has CVE-2022-49692 been resolved in recent updates?
Yes, CVE-2022-49692 has been resolved in the latest versions of the Linux kernel following releases that address the vulnerability.
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/type
- agent/weakness
- agent/title
- agent/references
- agent/author
- agent/source
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/linux foundation
- canonical/linux kernel
- vendor/linux
- version/linux kernel/5.18
- version/linux kernel/5.19-rc1
- version/linux kernel/5.19-rc2
- version/linux kernel/5.19-rc3