CVE-2022-48720 in Linuxinfo

Summary

by MITRE • 06/20/2024

In the Linux kernel, the following vulnerability has been resolved:

net: macsec: Fix offload support for NETDEV_UNREGISTER event

Current macsec netdev notify handler handles NETDEV_UNREGISTER event by releasing relevant SW resources only, this causes resources leak in case of macsec HW offload, as the underlay driver was not notified to clean it's macsec offload resources.

Fix by calling the underlay driver to clean it's relevant resources by moving offload handling from macsec_dellink() to macsec_common_dellink() when handling NETDEV_UNREGISTER event.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/01/2025

The vulnerability described in CVE-2022-48720 represents a critical resource management flaw within the Linux kernel's MACsec implementation that specifically affects hardware offload capabilities. This issue resides in the network subsystem where MACsec (Media Access Control Security) functionality is implemented to provide secure communication at the data link layer. The problem manifests when a MACsec network device is unregistered from the system, particularly in scenarios where hardware offloading is enabled to accelerate cryptographic operations. The flaw stems from an incomplete cleanup process during device removal that fails to properly coordinate between the MACsec subsystem and underlying network drivers that support hardware offload capabilities.

The technical root cause of this vulnerability lies in the improper handling of the NETDEV_UNREGISTER event within the MACsec netdev notification handler. When a network device is removed from the system, the current implementation only releases software resources while neglecting to notify the underlying network driver about the need to clean up its hardware offload resources. This design flaw creates a resource leak condition where hardware-specific state information remains allocated in the driver's memory space even after the MACsec device has been effectively removed. The issue is particularly concerning because it affects the MACsec common deletion function where the offload handling logic was incorrectly positioned, preventing proper coordination between the MACsec subsystem and the hardware driver that manages the actual offload operations.

The operational impact of this vulnerability extends beyond simple resource consumption issues to potentially compromise system stability and security. When hardware offload is enabled for MACsec operations, the system allocates dedicated hardware resources including memory buffers, cryptographic engines, and hardware-specific state information. The failure to properly clean up these resources can lead to memory exhaustion over time, particularly in systems with frequent network device creation and destruction cycles. This resource leak can also affect the performance of other network operations as hardware resources become constrained, potentially causing service degradation or even system instability. From a security perspective, the improper cleanup might leave hardware state information that could be exploited or interfere with subsequent security operations, though the direct attack surface remains limited to resource exhaustion scenarios.

The fix implemented for this vulnerability addresses the core coordination issue by repositioning the offload handling logic from the macsec_dellink() function to the macsec_common_dellink() function. This change ensures that when the NETDEV_UNREGISTER event is processed, the system properly calls into the underlay driver to clean up its relevant hardware offload resources before the MACsec device is fully removed. This approach follows the principle of proper resource management and ensures that all layers of the network stack are properly synchronized during device removal operations. The solution aligns with the common practice of maintaining proper resource lifecycle management in kernel subsystems and addresses the specific requirements of hardware offload scenarios where multiple components must coordinate their cleanup operations. The fix represents a targeted correction that maintains backward compatibility while ensuring complete resource cleanup and preventing the resource leak condition that could lead to system instability or performance degradation.

This vulnerability demonstrates the complexity of managing hardware offload scenarios within kernel subsystems and highlights the importance of proper inter-subsystem coordination. The issue relates to CWE-404, which covers improper resource management, and specifically addresses the challenge of maintaining proper resource cleanup in complex network stack scenarios. From an ATT&CK perspective, this vulnerability could potentially be leveraged in resource exhaustion attacks where an adversary repeatedly creates and destroys MACsec devices to consume system resources, though the direct attack vector remains relatively limited. The fix ensures proper adherence to kernel resource management best practices and prevents the accumulation of stale hardware state information that could impact system performance or stability over extended periods of operation.

Sources

Do you need the next level of professionalism?

Upgrade your account now!