CVE-2022-49940 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf()
A null pointer dereference can happen when attempting to access the "gsm->receive()" function in gsmld_receive_buf(). Currently, the code assumes that gsm->recieve is only called after MUX activation. Since the gsmld_receive_buf() function can be accessed without the need to initialize the MUX, the gsm->receive() function will not be set and a NULL pointer dereference will occur.
Fix this by avoiding the call to "gsm->receive()" in case the function is not initialized by adding a sanity check.
Call Trace: <TASK> gsmld_receive_buf+0x1c2/0x2f0 drivers/tty/n_gsm.c:2861 tiocsti drivers/tty/tty_io.c:2293 [inline]
tty_ioctl+0xa75/0x15d0 drivers/tty/tty_io.c:2692 vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/19/2025
The vulnerability CVE-2022-49940 represents a critical null pointer dereference issue within the Linux kernel's GSM terminal line discipline implementation. This flaw exists in the n_gsm subsystem which handles GSM modem communication protocols and is part of the broader tty (teletypewriter) subsystem that manages terminal device interfaces. The vulnerability specifically affects the gsmld_receive_buf() function in drivers/tty/n_gsm.c at line 2861, where the code attempts to invoke the gsm->receive() function without proper validation of whether this function pointer has been initialized.
The technical root cause stems from improper initialization handling within the GSM line discipline driver. The code assumes that gsm->receive() will only be called after MUX (Multiplexer) activation has occurred, but the gsmld_receive_buf() function can be invoked through various ioctl operations without requiring MUX initialization. When MUX activation is bypassed, the gsm->receive() function pointer remains uninitialized as NULL, leading to immediate kernel panic upon dereference. This pattern violates fundamental kernel security principles and demonstrates poor defensive programming practices in kernel space code.
This vulnerability creates significant operational impact by enabling potential denial of service conditions that can crash the entire kernel or cause system instability. Attackers could exploit this through crafted ioctl calls targeting GSM terminal devices, potentially leading to system crashes that affect critical infrastructure or embedded systems relying on GSM communications. The vulnerability affects all Linux kernel versions prior to the fix and represents a classic case of insufficient input validation in kernel space, which aligns with CWE-476 (NULL Pointer Dereference) and CWE-691 (Insufficient Control Flow Management). The call trace shows the execution path leading to the crash through tty_ioctl and vfs_ioctl functions, indicating this affects standard terminal device operations rather than specialized or uncommon interfaces.
The mitigation strategy involves implementing a simple but crucial sanity check before invoking the gsm->receive() function pointer. This defensive programming approach ensures that the function pointer is properly validated before execution, preventing the null dereference condition that leads to kernel panic. The fix aligns with ATT&CK technique T1499.004 (Endpoint Detection and Response Evasion) by preventing unauthorized system state modifications through kernel-level exploits. Organizations should prioritize applying the kernel patches that implement this sanity check, as the vulnerability presents a straightforward exploit path that requires minimal privileges to trigger. The fix demonstrates proper kernel development practices and aligns with security best practices outlined in the Linux kernel security documentation, emphasizing the importance of validating all function pointers before invocation in kernel space code.