Linux Kernel up to 5.10.154/5.15.78/6.0.8 riscv of_reserved_mem_lookup buffer overflow

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
7.4$0-$5k0.00

Summaryinfo

A vulnerability identified as critical has been detected in Linux Kernel up to 5.10.154/5.15.78/6.0.8. Affected by this issue is the function of_reserved_mem_lookup of the component riscv. Performing a manipulation results in buffer overflow. This vulnerability is known as CVE-2022-49851. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical has been found in Linux Kernel up to 5.10.154/5.15.78/6.0.8. This affects the function of_reserved_mem_lookup of the component riscv. The manipulation with an unknown input leads to a buffer overflow vulnerability. CWE is classifying the issue as CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: riscv: fix reserved memory setup Currently, RISC-V sets up reserved memory using the "early" copy of the device tree. As a result, when trying to get a reserved memory region using of_reserved_mem_lookup(), the pointer to reserved memory regions is using the early, pre-virtual-memory address which causes a kernel panic when trying to use the buffer's name: Unable to handle kernel paging request at virtual address 00000000401c31ac Oops [#1] Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1 Hardware name: Microchip PolarFire-SoC Icicle Kit (DT) epc : string+0x4a/0xea ra : vsnprintf+0x1e4/0x336 epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0 gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000 t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20 s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000 a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008 s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00 s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002 s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617 t5 : ffffffff812f3618 t6 : ffffffff81203d08 status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d [<ffffffff80338936>] vsnprintf+0x1e4/0x336 [<ffffffff80055ae2>] vprintk_store+0xf6/0x344 [<ffffffff80055d86>] vprintk_emit+0x56/0x192 [<ffffffff80055ed8>] vprintk_default+0x16/0x1e [<ffffffff800563d2>] vprintk+0x72/0x80 [<ffffffff806813b2>] _printk+0x36/0x50 [<ffffffff8068af48>] print_reserved_mem+0x1c/0x24 [<ffffffff808057ec>] paging_init+0x528/0x5bc [<ffffffff808031ae>] setup_arch+0xd0/0x592 [<ffffffff8080070e>] start_kernel+0x82/0x73c early_init_fdt_scan_reserved_mem() takes no arguments as it operates on initial_boot_params, which is populated by early_init_dt_verify(). On RISC-V, early_init_dt_verify() is called twice. Once, directly, in setup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly, very early in the boot process, by parse_dtb() when it calls early_init_dt_scan_nodes(). This first call uses dtb_early_va to set initial_boot_params, which is not usable later in the boot process when early_init_fdt_scan_reserved_mem() is called. On arm64 for example, the corresponding call to early_init_dt_scan_nodes() uses fixmap addresses and doesn't suffer the same fate. Move early_init_fdt_scan_reserved_mem() further along the boot sequence, after the direct call to early_init_dt_verify() in setup_arch() so that the names use the correct virtual memory addresses. The above supposed that CONFIG_BUILTIN_DTB was not set, but should work equally in the case where it is - unflatted_and_copy_device_tree() also updates initial_boot_params.

The advisory is shared at git.kernel.org. This vulnerability is uniquely identified as CVE-2022-49851 since 05/01/2025. The exploitability is told to be easy. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 11/11/2025).

The vulnerability scanner Nessus provides a plugin with the ID 250040 (Linux Distros Unpatched Vulnerability : CVE-2022-49851), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 5.10.155, 5.15.79 or 6.0.9 eliminates this vulnerability. Applying the patch 94ab8f88feb75e3b1486102c0c9c550f37d9d137/518e49f0590de66555503aabe199ba8d3f2e24ac/93598deb101540c4f9e7de15099ea8255b965fc2/50e63dd8ed92045eb70a72d7ec725488320fb68b is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (250040). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

Vendor

Name

Version

License

Website

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 7.6
VulDB Meta Temp Score: 7.4

VulDB Base Score: 8.0
VulDB Temp Score: 7.6
VulDB Vector: 🔍
VulDB Reliability: 🔍

NVD Base Score: 7.1
NVD Vector: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

Exploitinginfo

Class: Buffer overflow
CWE: CWE-120 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍

Physical: Partially
Local: Yes
Remote: Partially

Availability: 🔍
Status: Not defined

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Nessus ID: 250040
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2022-49851

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

0-Day Time: 🔍

Upgrade: Kernel 5.10.155/5.15.79/6.0.9
Patch: 94ab8f88feb75e3b1486102c0c9c550f37d9d137/518e49f0590de66555503aabe199ba8d3f2e24ac/93598deb101540c4f9e7de15099ea8255b965fc2/50e63dd8ed92045eb70a72d7ec725488320fb68b

Timelineinfo

05/01/2025 🔍
05/01/2025 +0 days 🔍
05/01/2025 +0 days 🔍
11/11/2025 +193 days 🔍

Sourcesinfo

Vendor: kernel.org

Advisory: git.kernel.org
Status: Confirmed

CVE: CVE-2022-49851 (🔍)
GCVE (CVE): GCVE-0-2022-49851
GCVE (VulDB): GCVE-100-306945

Entryinfo

Created: 05/01/2025 17:27
Updated: 11/11/2025 00:04
Changes: 05/01/2025 17:27 (59), 08/17/2025 16:32 (2), 11/11/2025 00:04 (13)
Complete: 🔍
Cache ID: 216::103

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion

No comments yet. Languages: en.

Please log in to comment.

Do you want to use VulDB in your project?

Use the official API to access entries easily!