CVE-2022-49806 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net: microchip: sparx5: Fix potential null-ptr-deref in sparx_stats_init() and sparx5_start()

sparx_stats_init() calls create_singlethread_workqueue() and not checked the ret value, which may return NULL. And a null-ptr-deref may happen:

sparx_stats_init() create_singlethread_workqueue() # failed, sparx5->stats_queue is NULL queue_delayed_work() queue_delayed_work_on() __queue_delayed_work() # warning here, but continue __queue_work() # access wq->flags, null-ptr-deref

Check the ret value and return -ENOMEM if it is NULL. So as sparx5_start().

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/07/2025

The vulnerability identified as CVE-2022-49806 represents a critical null pointer dereference issue within the Linux kernel's Microchip Sparx5 network driver implementation. This flaw exists in the networking subsystem specifically affecting devices utilizing the Microchip Sparx5 switch architecture. The vulnerability stems from inadequate error handling during the initialization phase of network statistics tracking mechanisms, creating a potential pathway for system instability and denial of service conditions.

The technical flaw manifests in two primary functions: sparx_stats_init() and sparx5_start(). Both functions invoke create_singlethread_workqueue() to establish a work queue for handling network statistics processing, but fail to properly validate the return value from this system call. When create_singlethread_workqueue() encounters resource constraints or other initialization failures, it returns NULL instead of a valid work queue structure. The subsequent code does not check this return value, leading to a situation where a NULL pointer is passed to queue_delayed_work() functions, ultimately resulting in a null pointer dereference when the kernel attempts to access wq->flags in the internal __queue_work() function.

This vulnerability directly maps to CWE-476, which categorizes null pointer dereference conditions in software implementations. The operational impact of this flaw extends beyond simple system crashes, as it can be exploited to cause denial of service conditions within network infrastructure devices running affected Linux kernels. The attack surface is particularly concerning for network switches and embedded systems where the Sparx5 driver is deployed, as these devices often operate in environments where availability and reliability are paramount. The flaw demonstrates poor defensive programming practices where error conditions are not properly handled, creating a pathway for undefined behavior that can be leveraged by malicious actors to disrupt network operations.

The mitigation strategy involves implementing proper error checking mechanisms in both affected functions to validate the return value from create_singlethread_workqueue() and return appropriate error codes such as -ENOMEM when allocation failures occur. This approach aligns with best practices outlined in the Linux kernel security guidelines and ATT&CK technique T1499.004, which addresses network denial of service attacks. System administrators should prioritize applying the relevant kernel patches that address this specific vulnerability, particularly in environments where network switch functionality is critical. The fix ensures that when work queue allocation fails, the driver properly handles the error condition and propagates appropriate error codes rather than allowing the system to continue execution with invalid pointers. This vulnerability underscores the importance of robust error handling in kernel space code and the necessity of comprehensive testing for resource allocation failure scenarios in network driver implementations.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00164

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!