CVE-2022-48977 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
can: af_can: fix NULL pointer dereference in can_rcv_filter
Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer dereference in can_rx_register()") we need to check for a missing initialization of ml_priv in the receive path of CAN frames.
Since commit 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device") the check for dev->type to be ARPHRD_CAN is not sufficient anymore since bonding or tun netdevices claim to be CAN devices but do not initialize ml_priv accordingly.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability described in CVE-2022-48977 represents a critical NULL pointer dereference flaw within the Linux kernel's CAN (Controller Area Network) subsystem, specifically affecting the af_can socket implementation. This issue manifests in the can_rcv_filter function, which processes incoming CAN frames and handles filter operations for CAN network communications. The vulnerability arises from insufficient validation of network device initialization states, creating a potential crash condition that could disrupt CAN communication on affected systems. The flaw is particularly concerning given CAN's widespread use in automotive systems, industrial control networks, and embedded devices where reliable network communication is essential for proper system operation.
The technical root cause of this vulnerability stems from a design change in the Linux networking stack that occurred with commit 4e096a18867a, which introduced CAN-specific pointers within the struct net_device structure. Prior to this change, the system relied solely on checking the dev->type field to be ARPHRD_CAN to identify CAN devices. However, this approach proved insufficient as newer network device types such as bonding and tun devices can claim to be CAN devices while failing to properly initialize the ml_priv (multi-layer private) structure. The fix implemented follows a pattern established by a previous similar vulnerability addressed in commit 8aa59e355949, where developers identified that the receive path for CAN frames needed additional validation before accessing the ml_priv structure. Without proper initialization checks, the system attempts to dereference a NULL pointer when processing CAN frames through network devices that incorrectly identify themselves as CAN devices but lack the necessary CAN-specific initialization.
The operational impact of this vulnerability extends beyond simple system crashes, potentially creating denial-of-service conditions in environments where CAN communication is critical. In automotive applications, this could result in complete loss of communication between vehicle control units, leading to safety-critical failures. Industrial control systems relying on CAN protocols for machine coordination and monitoring may experience unexpected interruptions that could affect production processes or safety systems. The vulnerability affects systems running Linux kernels where the CAN subsystem is enabled and active, particularly those using network devices that may claim CAN device characteristics without proper initialization. Attackers could potentially exploit this vulnerability by creating malicious network configurations that trigger the NULL pointer dereference condition, though the attack surface is limited to systems with active CAN networking capabilities and specific network device configurations.
Mitigation strategies for this vulnerability involve applying the kernel patch that implements proper NULL pointer checks in the can_rcv_filter function before accessing the ml_priv structure. System administrators should prioritize updating to kernel versions containing the fix, particularly in environments where CAN communication is essential for system functionality. The fix requires checking whether ml_priv has been properly initialized before attempting to access it, effectively preventing the NULL pointer dereference that would otherwise cause kernel panics. Organizations should also review their network device configurations to ensure that only properly initialized CAN devices are used in critical systems, as the vulnerability specifically targets scenarios where network devices incorrectly identify themselves as CAN devices without proper initialization. Security monitoring should include detection of unusual kernel crash patterns related to CAN subsystem operations, and system hardening practices should be implemented to limit the attack surface of network device configurations that could potentially trigger this condition. This vulnerability aligns with CWE-476, which addresses NULL pointer dereference issues, and represents a typical example of how changes in kernel networking infrastructure can create unexpected compatibility issues that require careful validation of device initialization states.