CVE-2022-48830

Advisory lineage Upstream: 0 Downstream: 8

Downstream

DEBIAN-CVE-2022-48830 RHSA-2025:20518 SUSE-SU-2024:2894-1 SUSE-SU-2024:2902-1 SUSE-SU-2024:2929-1 SUSE-SU-2024:2939-1

Analyzed

Published: 16 Jul 2024, 11:44

Last modified:11 May 2026, 18:47

Vulnerability Summary

Overall Risk (default)

low

19/100

CVSS Score

4.7 MEDIUM

v3.1 (nvd)

EPSS Score

0.01% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

16 Jul 2024, 11:44

Published

Vulnerability first disclosed

11 May 2026, 18:47

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix potential CAN frame reception race in isotp_rcv() When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage. Ziyang Xuan writes: The following syz problem is one of the scenarios. so->rx.len is changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals 0 before alloc_skb() and equals 4096 after alloc_skb(). That will trigger skb_over_panic() in skb_put(). ======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spin_lock in isotp_rcv(). This fixes the issue reported by syzkaller but does not affect real world operation.

CVSS Metrics

v3.1•MEDIUM•Score: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.01%• Percentile: 2%

Techniques & Countermeasures

CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

linux•linux
≥ e057dd3fc20ffb3d7f150af46542a51b59b90127, < 7b53d2204ce79b27a878074a77d64f40ec21dbca | ≥ e057dd3fc20ffb3d7f150af46542a51b59b90127, < f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3 | ≥ e057dd3fc20ffb3d7f150af46542a51b59b90127, < 5b068f33bc8acfcfd5ea7992a2dafb30d89bad30 | ≥ e057dd3fc20ffb3d7f150af46542a51b59b90127, < 7c759040c1dd03954f650f147ae7175476d51314 | 5.10
linux•linux_kernel
≥ 5.10, < 5.10.101 | ≥ 5.11, < 5.15.24 | ≥ 5.16, < 5.16.10 | 5.17:rc1 | 5.17:rc2 | 5.17:rc3