CVE-2022-49844 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
can: dev: fix skb drop check
In commit a6d190f8c767 ("can: skb: drop tx skb if in listen only mode") the priv->ctrlmode element is read even on virtual CAN interfaces that do not create the struct can_priv at startup. This out-of-bounds read may lead to CAN frame drops for virtual CAN interfaces like vcan and vxcan.
This patch mainly reverts the original commit and adds a new helper for CAN interface drivers that provide the required information in struct can_priv.
[mkl: patch pch_can, too]
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/12/2025
The vulnerability described in CVE-2022-49844 represents a critical out-of-bounds memory access issue within the Linux kernel's CAN (Controller Area Network) subsystem. This flaw specifically affects virtual CAN interfaces such as vcan and vxcan, which are commonly used for testing and development purposes in automotive and industrial networking environments. The vulnerability stems from improper handling of memory access patterns when processing CAN frames in listen-only mode, creating a potential for system instability and data corruption.
The technical root cause of this vulnerability lies in an improper memory access pattern where the kernel attempts to read from the priv->ctrlmode element without ensuring that the required struct can_priv structure has been properly initialized. This occurs during the processing of transmit socket buffers (skb) when virtual CAN interfaces are operating in listen-only mode. The original commit a6d190f8c767 introduced a mechanism to drop transmit socket buffers when in listen-only mode, but failed to account for the fact that virtual CAN interfaces do not always create the necessary struct can_priv structure during initialization. This oversight creates an out-of-bounds memory read that can result in unpredictable behavior and frame drops.
The operational impact of this vulnerability extends beyond simple frame loss, as it can compromise the reliability of CAN network communications in embedded systems and automotive applications. When virtual CAN interfaces encounter this memory access violation, they may drop CAN frames that should be transmitted, leading to potential communication failures in vehicle networks, industrial control systems, or other environments where CAN protocols are critical. The vulnerability affects not only the basic vcan interface but also vxcan and potentially other virtual CAN implementations, making it particularly concerning for systems that rely heavily on virtual CAN testing and development environments.
This vulnerability aligns with CWE-125: Out-of-bounds Read, which is classified under the broader category of memory safety issues in kernel space. The flaw demonstrates poor bounds checking and improper initialization handling that can lead to information disclosure and system instability. From an ATT&CK perspective, this vulnerability could be leveraged in a privilege escalation scenario or as part of a broader attack chain targeting embedded systems. The fix implemented addresses the core issue by reverting the problematic commit and introducing a new helper function that properly validates the presence of required information in struct can_priv before attempting memory access. The patch also includes updates for the pch_can driver to ensure comprehensive coverage of affected CAN interface implementations.
The mitigation strategy involves applying the kernel patch that reverts the problematic commit and implements proper validation checks for CAN interface drivers. System administrators and developers should prioritize updating affected kernel versions, particularly in automotive and industrial environments where virtual CAN interfaces are extensively used for testing and development. Organizations maintaining embedded systems that utilize virtual CAN interfaces should conduct thorough testing to ensure that the patch does not introduce regressions in normal CAN communication patterns while providing the necessary protection against the out-of-bounds memory access vulnerability.