CVE-2022-48974 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: fix using __this_cpu_add in preemptible
Currently in nf_conntrack_hash_check_insert(), when it fails in nf_ct_ext_valid_pre/post(), NF_CT_STAT_INC() will be called in the preemptible context, a call trace can be triggered:
BUG: using __this_cpu_add() in preemptible [00000000] code: conntrack/1636
caller is nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
Call Trace: dump_stack_lvl+0x33/0x46 check_preemption_disabled+0xc3/0xf0 nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
ctnetlink_create_conntrack+0x3cd/0x4e0 [nf_conntrack_netlink]
ctnetlink_new_conntrack+0x1c0/0x450 [nf_conntrack_netlink]
nfnetlink_rcv_msg+0x277/0x2f0 [nfnetlink]
netlink_rcv_skb+0x50/0x100 nfnetlink_rcv+0x65/0x144 [nfnetlink]
netlink_unicast+0x1ae/0x290 netlink_sendmsg+0x257/0x4f0 sock_sendmsg+0x5f/0x70
This patch is to fix it by changing to use NF_CT_STAT_INC_ATOMIC() for nf_ct_ext_valid_pre/post() check in nf_conntrack_hash_check_insert(), as well as nf_ct_ext_valid_post() in __nf_conntrack_confirm().
Note that nf_ct_ext_valid_pre() check in __nf_conntrack_confirm() is safe to use NF_CT_STAT_INC(), as it's under local_bh_disable().
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability CVE-2022-48974 represents a critical preemption issue within the Linux kernel's netfilter subsystem, specifically affecting the connection tracking module. This flaw occurs in the nf_conntrack_hash_check_insert() function where the kernel attempts to increment connection tracking statistics using __this_cpu_add() in a preemptible context. The issue arises when the nf_ct_ext_valid_pre() and nf_ct_ext_valid_post() validation functions fail, triggering a call to NF_CT_STAT_INC() which subsequently calls __this_cpu_add() in a context where preemption is enabled. This violates kernel safety constraints and can lead to undefined behavior or system instability.
The technical implementation of this vulnerability stems from improper use of atomic operations within preemptible kernel contexts. The __this_cpu_add() function is designed for use in non-preemptible contexts where preemption is disabled to ensure atomicity and prevent race conditions. When invoked in a preemptible context, the kernel's preemption checking mechanism detects this violation and triggers a BUG message as demonstrated in the call trace. The problematic code path begins with ctnetlink_create_conntrack() processing netlink messages, leading through nfnetlink_rcv_msg() and netlink_rcv_skb() to ultimately fail in the connection tracking hash insertion logic. This represents a direct violation of kernel design principles where atomic operations must be carefully scoped to appropriate execution contexts.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable denial of service conditions and compromise system integrity. Attackers could exploit this by sending malformed netlink messages to trigger the specific code path, causing kernel panics or system crashes. The vulnerability affects systems running Linux kernels with netfilter and connection tracking enabled, which is common in network appliances, firewalls, and routers. According to CWE-362, this maps to a concurrency vulnerability where improper synchronization leads to race conditions, while the ATT&CK framework would classify this under privilege escalation through kernel exploitation techniques. The vulnerability is particularly dangerous in network infrastructure devices where continuous operation is critical.
The patch addresses this issue by implementing a context-appropriate solution that switches from NF_CT_STAT_INC() to NF_CT_STAT_INC_ATOMIC() for the specific validation functions in question. This change ensures that statistics updates occur atomically without requiring preemption to be disabled, making them safe for use in preemptible contexts. The fix specifically targets the nf_conntrack_hash_check_insert() function and __nf_conntrack_confirm() function where the validation checks occur. Notably, the patch recognizes that nf_ct_ext_valid_pre() in __nf_conntrack_confirm() is safe to use NF_CT_STAT_INC() because it operates under local_bh_disable() which provides the necessary context protection. This differential approach demonstrates careful analysis of the kernel's execution contexts and proper resource management practices. The solution aligns with kernel security best practices by ensuring atomic operations are properly scoped to avoid preemption violations while maintaining system performance and reliability.