CVE-2022-49904 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net, neigh: Fix null-ptr-deref in neigh_table_clear()

When IPv6 module gets initialized but hits an error in the middle, kenel panic with:

KASAN: null-ptr-deref in range [0x0000000000000598-0x000000000000059f]
CPU: 1 PID: 361 Comm: insmod Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:__neigh_ifdown.isra.0+0x24b/0x370 RSP: 0018:ffff888012677908 EFLAGS: 00000202 ... Call Trace: neigh_table_clear+0x94/0x2d0 ndisc_cleanup+0x27/0x40 [ipv6]
inet6_init+0x21c/0x2cb [ipv6]
do_one_initcall+0xd3/0x4d0 do_init_module+0x1ae/0x670 ... Kernel panic - not syncing: Fatal exception

When ipv6 initialization fails, it will try to cleanup and calls:

neigh_table_clear() neigh_ifdown(tbl, NULL) pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev == NULL)) # dev_net(NULL) triggers null-ptr-deref.

Fix it by passing NULL to pneigh_queue_purge() in neigh_ifdown() if dev is NULL, to make kernel not panic immediately.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/15/2026

The vulnerability described in CVE-2022-49904 represents a critical null pointer dereference issue within the Linux kernel's networking subsystem, specifically affecting the neighbor table cleanup mechanism during IPv6 module initialization failures. This flaw exists in the net/neighbor subsystem and manifests when the IPv6 module encounters an error during initialization but subsequently attempts to perform cleanup operations. The vulnerability occurs during the kernel's module loading process when the ipv6_init function fails to complete successfully, yet still attempts to invoke cleanup routines that lead to a kernel panic.

The technical implementation of this vulnerability stems from improper handling of NULL device pointers within the neighbor table cleanup functions. When the IPv6 module initialization fails, the system calls neigh_table_clear() which eventually invokes neigh_ifdown() with a NULL device parameter. The function pneigh_queue_purge() is then called with dev_net(NULL) as an argument, which triggers a null pointer dereference at memory address range 0x0000000000000598-0x000000000000059f. This particular memory access pattern causes the kernel to immediately panic and halt system operations, preventing normal system recovery and potentially leading to denial of service conditions.

The operational impact of this vulnerability is severe as it can be exploited to cause immediate system crashes during normal kernel module initialization sequences. Attackers could potentially trigger this condition through malicious module loading attempts or by manipulating system resources during IPv6 initialization. The vulnerability affects systems running Linux kernel versions where the fix has not been applied, making it particularly dangerous in production environments where automatic module loading or system updates might occur. This type of kernel panic represents a direct violation of system stability and availability principles, as outlined in the Common Weakness Enumeration standard CWE-476.

The mitigation strategy for this vulnerability involves ensuring that the neigh_ifdown() function properly handles NULL device parameters by passing appropriate NULL values to pneigh_queue_purge() when the device parameter is NULL. This fix aligns with established kernel security practices and follows the principle of defensive programming where all function parameters are validated before use. The solution directly addresses the root cause by preventing the null pointer dereference that occurs during cleanup operations. Organizations should prioritize applying the relevant kernel patches that implement this fix, as it represents a critical security update that prevents potential denial of service attacks and system instability. This vulnerability also relates to ATT&CK technique T1499.004 which involves system disruption through kernel-level attacks, making it particularly important for security teams to address promptly.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00166

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!