CVE-2022-49863 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

can: af_can: fix NULL pointer dereference in can_rx_register()

It causes NULL pointer dereference when testing as following: (a) use syscall(__NR_socket, 0x10ul, 3ul, 0) to create netlink socket. (b) use syscall(__NR_sendmsg, ...) to create bond link device and vxcan link device, and bind vxcan device to bond device (can also use ifenslave command to bind vxcan device to bond device). (c) use syscall(__NR_socket, 0x1dul, 3ul, 1) to create CAN socket. (d) use syscall(__NR_bind, ...) to bind the bond device to CAN socket.

The bond device invokes the can-raw protocol registration interface to receive CAN packets. However, ml_priv is not allocated to the dev, dev_rcv_lists is assigned to NULL in can_rx_register(). In this case, it will occur the NULL pointer dereference issue.

The following is the stack information: BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 122a4067 P4D 122a4067 PUD 1223c067 PMD 0 Oops: 0000 [#1] PREEMPT SMP
RIP: 0010:can_rx_register+0x12d/0x1e0 Call Trace:

raw_enable_filters+0x8d/0x120 raw_enable_allfilters+0x3b/0x130 raw_bind+0x118/0x4f0 __sys_bind+0x163/0x1a0 __x64_sys_bind+0x1e/0x30 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 03/14/2026

The vulnerability CVE-2022-49863 represents a critical NULL pointer dereference in the Linux kernel's CAN (Controller Area Network) subsystem, specifically within the af_can protocol implementation. This flaw manifests during the registration process of CAN raw sockets and occurs when attempting to bind bond devices to CAN sockets. The vulnerability stems from improper memory allocation handling where the ml_priv structure is not properly initialized for bond devices, leading to a NULL pointer dereference when the can_rx_register() function attempts to access dev_rcv_lists that has been assigned NULL. The issue is particularly significant as it can be triggered through a series of specific system calls involving netlink socket creation, device bonding operations, and CAN socket binding, making it exploitable in scenarios involving CAN network communications.

The technical root cause of this vulnerability lies in the improper initialization of network device structures within the CAN subsystem. When a bond device is created and subsequently bound to a CAN socket, the system fails to allocate the necessary ml_priv structure for the device, leaving dev_rcv_lists as NULL. This occurs during the can_rx_register() function execution where the kernel attempts to access the device's receive lists without proper validation. The vulnerability is classified under CWE-476 as a NULL pointer dereference, representing a classic memory safety issue where a program attempts to access memory at a NULL address. The attack vector is particularly concerning as it can be exploited through legitimate system calls, making it difficult to distinguish from normal operational behavior and increasing the potential for covert exploitation.

The operational impact of this vulnerability extends beyond simple system crashes, potentially leading to complete system instability and denial of service conditions within automotive and industrial control systems that rely heavily on CAN communications. The NULL pointer dereference results in kernel oops and system panics, effectively terminating the affected kernel operations and potentially causing critical infrastructure failures in automotive networks, industrial automation systems, or embedded devices utilizing CAN protocols. This vulnerability directly impacts the CAN subsystem's ability to handle bonded network configurations, which are commonly used in automotive applications to aggregate multiple CAN channels for enhanced reliability and performance. The exploitability of this issue through standard system calls means that any application with appropriate privileges could trigger the vulnerability, making it particularly dangerous in environments where multiple applications might have access to network socket operations.

Mitigation strategies for CVE-2022-49863 require immediate kernel updates addressing the specific memory allocation issue in the af_can subsystem, with patches ensuring proper initialization of ml_priv structures for all device types including bond devices. System administrators should prioritize applying the relevant kernel security patches from their distribution vendors, as this vulnerability affects the core network subsystem functionality. Network segmentation and access control measures should be implemented to limit privileged socket operations, particularly in automotive and industrial environments where CAN communications are critical. Monitoring for abnormal system behavior, including kernel oops messages and unexpected system panics, should be enhanced to detect potential exploitation attempts. Additionally, organizations should consider implementing runtime protection mechanisms such as kernel module integrity checks and memory protection features to detect and prevent exploitation attempts. The vulnerability's classification under ATT&CK technique T1059.003 (Command and Scripting Interpreter) indicates that exploitation could occur through legitimate system call sequences, emphasizing the need for comprehensive monitoring and access control policies rather than relying solely on signature-based detection methods.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00165

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!