{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49096","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.249Z","datePublished":"2025-02-26T01:54:49.108Z","dateUpdated":"2025-10-01T19:57:05.717Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:29:48.329Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sfc: add missing xdp queue reinitialization\n\nAfter rx/tx ring buffer size is changed, kernel panic occurs when\nit acts XDP_TX or XDP_REDIRECT.\n\nWhen tx/rx ring buffer size is changed(ethtool -G), sfc driver\nreallocates and reinitializes rx and tx queues and their buffer\n(tx_queue->buffer).\nBut it misses reinitializing xdp queues(efx->xdp_tx_queues).\nSo, while it is acting XDP_TX or XDP_REDIRECT, it uses the uninitialized\ntx_queue->buffer.\n\nA new function efx_set_xdp_channels() is separated from efx_set_channels()\nto handle only xdp queues.\n\nSplat looks like:\n   BUG: kernel NULL pointer dereference, address: 000000000000002a\n   #PF: supervisor write access in kernel mode\n   #PF: error_code(0x0002) - not-present page\n   PGD 0 P4D 0\n   Oops: 0002 [#4] PREEMPT SMP NOPTI\n   RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]\n   CPU: 2 PID: 0 Comm: swapper/2 Tainted: G      D           5.17.0+ #55 e8beeee8289528f11357029357cf\n   Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80\n   RSP: 0018:ffff92f121e45c60 EFLAGS: 00010297\n   RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]\n   RAX: 0000000000000040 RBX: ffff92ea506895c0 RCX: ffffffffc0330870\n   RDX: 0000000000000001 RSI: 00000001139b10ce RDI: ffff92ea506895c0\n   RBP: ffffffffc0358a80 R08: 00000001139b110d R09: 0000000000000000\n   R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040\n   R13: 0000000000000018 R14: 00000001139b10ce R15: ffff92ea506895c0\n   FS:  0000000000000000(0000) GS:ffff92f121ec0000(0000) knlGS:0000000000000000\n   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n   Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80\n   CR2: 000000000000002a CR3: 00000003e6810004 CR4: 00000000007706e0\n   RSP: 0018:ffff92f121e85c60 EFLAGS: 00010297\n   PKRU: 55555554\n   RAX: 0000000000000040 RBX: ffff92ea50689700 RCX: ffffffffc0330870\n   RDX: 0000000000000001 RSI: 00000001145a90ce RDI: ffff92ea50689700\n   RBP: ffffffffc0358a80 R08: 00000001145a910d R09: 0000000000000000\n   R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040\n   R13: 0000000000000018 R14: 00000001145a90ce R15: ffff92ea50689700\n   FS:  0000000000000000(0000) GS:ffff92f121e80000(0000) knlGS:0000000000000000\n   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n   CR2: 000000000000002a CR3: 00000003e6810005 CR4: 00000000007706e0\n   PKRU: 55555554\n   Call Trace:\n    <IRQ>\n    efx_xdp_tx_buffers+0x12b/0x3d0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n    __efx_rx_packet+0x5c3/0x930 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n    efx_rx_packet+0x28c/0x2e0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n    efx_ef10_ev_process+0x5f8/0xf40 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n    ? enqueue_task_fair+0x95/0x550\n    efx_poll+0xc4/0x360 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/sfc/efx_channels.c"],"versions":[{"version":"3990a8fffbdad5765f47ea593f9de66c91762059","lessThan":"ed7a824fda8732578d1014fad1f7fb0363705090","status":"affected","versionType":"git"},{"version":"3990a8fffbdad5765f47ea593f9de66c91762059","lessThan":"b8c46bc358d84701e7f7ffa054037db25f25da0e","status":"affected","versionType":"git"},{"version":"3990a8fffbdad5765f47ea593f9de66c91762059","lessThan":"dcc85e1593686e42c6749ef3d356db34759d59e8","status":"affected","versionType":"git"},{"version":"3990a8fffbdad5765f47ea593f9de66c91762059","lessThan":"059a47f1da93811d37533556d67e72f2261b1127","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/sfc/efx_channels.c"],"versions":[{"version":"5.5","status":"affected"},{"version":"0","lessThan":"5.5","status":"unaffected","versionType":"semver"},{"version":"5.15.34","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.20","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.3","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.15.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.16.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ed7a824fda8732578d1014fad1f7fb0363705090"},{"url":"https://git.kernel.org/stable/c/b8c46bc358d84701e7f7ffa054037db25f25da0e"},{"url":"https://git.kernel.org/stable/c/dcc85e1593686e42c6749ef3d356db34759d59e8"},{"url":"https://git.kernel.org/stable/c/059a47f1da93811d37533556d67e72f2261b1127"}],"title":"net: sfc: add missing xdp queue reinitialization","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-49096","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T19:49:29.340028Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T19:57:05.717Z"}}]}}