{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49063","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.244Z","datePublished":"2025-02-26T01:54:32.460Z","dateUpdated":"2025-11-03T17:31:01.995Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-06-04T12:57:13.027Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap\n\nThe CI testing bots triggered the following splat:\n\n[  718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80\n[  718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834\n[  718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S      W IOE     5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1\n[  718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020\n[  718.223418] Call Trace:\n[  718.227139]\n[  718.230783]  dump_stack_lvl+0x33/0x42\n[  718.234431]  print_address_description.constprop.9+0x21/0x170\n[  718.238177]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.241885]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.245539]  kasan_report.cold.18+0x7f/0x11b\n[  718.249197]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.252852]  free_irq_cpu_rmap+0x53/0x80\n[  718.256471]  ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]\n[  718.260174]  ice_remove_arfs+0x5f/0x70 [ice]\n[  718.263810]  ice_rebuild_arfs+0x3b/0x70 [ice]\n[  718.267419]  ice_rebuild+0x39c/0xb60 [ice]\n[  718.270974]  ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[  718.274472]  ? ice_init_phy_user_cfg+0x360/0x360 [ice]\n[  718.278033]  ? delay_tsc+0x4a/0xb0\n[  718.281513]  ? preempt_count_sub+0x14/0xc0\n[  718.284984]  ? delay_tsc+0x8f/0xb0\n[  718.288463]  ice_do_reset+0x92/0xf0 [ice]\n[  718.292014]  ice_pci_err_resume+0x91/0xf0 [ice]\n[  718.295561]  pci_reset_function+0x53/0x80\n<...>\n[  718.393035] Allocated by task 690:\n[  718.433497] Freed by task 20834:\n[  718.495688] Last potentially related work creation:\n[  718.568966] The buggy address belongs to the object at ffff8881bd127e00\n                which belongs to the cache kmalloc-96 of size 96\n[  718.574085] The buggy address is located 0 bytes inside of\n                96-byte region [ffff8881bd127e00, ffff8881bd127e60)\n[  718.579265] The buggy address belongs to the page:\n[  718.598905] Memory state around the buggy address:\n[  718.601809]  ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[  718.604796]  ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc\n[  718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[  718.610811]                    ^\n[  718.613819]  ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n[  718.617107]  ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\nThis is due to that free_irq_cpu_rmap() is always being called\n*after* (devm_)free_irq() and thus it tries to work with IRQ descs\nalready freed. For example, on device reset the driver frees the\nrmap right before allocating a new one (the splat above).\nMake rmap creation and freeing function symmetrical with\n{request,free}_irq() calls i.e. do that on ifup/ifdown instead\nof device probe/remove/resume. These operations can be performed\nindependently from the actual device aRFS configuration.\nAlso, make sure ice_vsi_free_irq() clears IRQ affinity notifiers\nonly when aRFS is disabled -- otherwise, CPU rmap sets and clears\nits own and they must not be touched manually."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_arfs.c","drivers/net/ethernet/intel/ice/ice_lib.c","drivers/net/ethernet/intel/ice/ice_main.c"],"versions":[{"version":"28bf26724fdb0e02267d19e280d6717ee810a10d","lessThan":"ba2f6ec28733fb6b24ed086e676df3df4c138f3f","status":"affected","versionType":"git"},{"version":"28bf26724fdb0e02267d19e280d6717ee810a10d","lessThan":"618df75f2e30c7838a3e010ca32cd4893ec9fe33","status":"affected","versionType":"git"},{"version":"28bf26724fdb0e02267d19e280d6717ee810a10d","lessThan":"d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3","status":"affected","versionType":"git"},{"version":"28bf26724fdb0e02267d19e280d6717ee810a10d","lessThan":"d7442f512b71fc63a99c8a801422dde4fbbf9f93","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_arfs.c","drivers/net/ethernet/intel/ice/ice_lib.c","drivers/net/ethernet/intel/ice/ice_main.c"],"versions":[{"version":"5.8","status":"affected"},{"version":"0","lessThan":"5.8","status":"unaffected","versionType":"semver"},{"version":"5.10.238","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.184","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.17.4","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.10.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.15.184"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.17.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ba2f6ec28733fb6b24ed086e676df3df4c138f3f"},{"url":"https://git.kernel.org/stable/c/618df75f2e30c7838a3e010ca32cd4893ec9fe33"},{"url":"https://git.kernel.org/stable/c/d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3"},{"url":"https://git.kernel.org/stable/c/d7442f512b71fc63a99c8a801422dde4fbbf9f93"}],"title":"ice: arfs: fix use-after-free when freeing @rx_cpu_rmap","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-49063","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-27T18:17:43.737630Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-27T18:22:35.691Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:31:01.995Z"}}]}}