CVE-2022-49928 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix null-ptr-deref when xps sysfs alloc failed
There is a null-ptr-deref when xps sysfs alloc failed: BUG: KASAN: null-ptr-deref in sysfs_do_create_link_sd+0x40/0xd0 Read of size 8 at addr 0000000000000030 by task gssproxy/457
CPU: 5 PID: 457 Comm: gssproxy Not tainted 6.0.0-09040-g02357b27ee03 #9 Call Trace: dump_stack_lvl+0x34/0x44 kasan_report+0xa3/0x120 sysfs_do_create_link_sd+0x40/0xd0 rpc_sysfs_client_setup+0x161/0x1b0 rpc_new_client+0x3fc/0x6e0 rpc_create_xprt+0x71/0x220 rpc_create+0x1d4/0x350 gssp_rpc_create+0xc3/0x160 set_gssp_clnt+0xbc/0x140 write_gssp+0x116/0x1a0 proc_reg_write+0xd6/0x130 vfs_write+0x177/0x690 ksys_write+0xb9/0x150 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0
When the xprt_switch sysfs alloc failed, should not add xprt and switch sysfs to it, otherwise, maybe null-ptr-deref; also initialize the 'xps_sysfs' to NULL to avoid oops when destroy it.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability described in CVE-2022-49928 represents a critical null pointer dereference issue within the Linux kernel's sunrpc subsystem, specifically affecting the handling of xps sysfs allocation failures. This flaw manifests when the system attempts to create sysfs links for rpc transport switches but fails during the allocation process, leading to a kernel panic scenario. The vulnerability occurs in the rpc_sysfs_client_setup function where the code path does not properly handle allocation failures, resulting in a null pointer dereference when attempting to access memory at address 0x0000000000000030. The issue is particularly concerning as it can be triggered through normal system operations involving gssproxy processes, making it exploitable in legitimate system usage scenarios.
The technical root cause stems from improper error handling in the rpc subsystem's sysfs management code where the xps_sysfs structure is not properly initialized to NULL before allocation attempts. When the xprt_switch sysfs allocation fails, the code continues execution without proper validation, attempting to create sysfs links to a null pointer. This behavior directly violates the principle of defensive programming and can be classified under CWE-476 Null Pointer Dereference, which is a fundamental security weakness where a null pointer is dereferenced without proper null checks. The kernel's memory management and sysfs subsystem interaction creates a scenario where memory corruption occurs when the system attempts to reference freed or unallocated memory structures, leading to potential system instability and denial of service conditions.
The operational impact of this vulnerability extends beyond simple system crashes as it can be leveraged to cause persistent service disruptions in networked environments relying on rpc services. The gssproxy process, which handles generic security services for rpc connections, becomes a vector for exploitation when it attempts to write to sysfs entries during rpc client creation. This creates a potential attack surface where malicious actors could trigger the vulnerability through crafted rpc operations or by manipulating system configurations that force rpc client initialization. The vulnerability affects systems running kernel versions that include the specific patch addressing this issue, with the reported kernel version 6.0.0 showing the problem. The memory access pattern indicates that the kernel's KASAN (Kernel Address Sanitizer) detected the invalid memory access, confirming the null pointer dereference occurred during sysfs operations. This vulnerability can be categorized under the ATT&CK technique T1499.004 for Network Denial of Service and potentially T1059.001 for Command and Scripting Interpreter if exploited through process manipulation.
Mitigation strategies for CVE-2022-49928 involve applying the appropriate kernel patches that properly initialize the xps_sysfs structure to NULL and implement proper error handling for sysfs allocation failures. System administrators should prioritize updating to kernel versions containing the fix, which typically includes the specific commit addressing the null pointer dereference in the rpc subsystem. The patch ensures that when xprt_switch sysfs allocation fails, the system properly handles the error condition without attempting to create sysfs links to invalid memory locations. Additionally, monitoring systems should be configured to detect unusual rpc client creation patterns or sysfs write operations that might indicate exploitation attempts. The fix also includes proper cleanup procedures during module destruction to prevent oops conditions when attempting to destroy uninitialized structures, providing a more robust error recovery mechanism for the sunrpc subsystem. Organizations should implement comprehensive kernel update policies to ensure all systems running rpc services are protected against this vulnerability, as the exploitation could potentially lead to complete system compromise or denial of service in networked environments.