CVE-2022-49592
Published: 26 February 2025
Summary
CVE-2022-49592 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49592 is a shift-out-of-bounds vulnerability in the Linux kernel's stmmac Ethernet driver, specifically in the dwmac4_core.c file. The issue arises during DMA queue mapping when the queue number exceeds 4, causing a left shift overflow on a 32-bit unsigned integer variable. This results in incorrect mask calculations for MTL_RXQ_DMA_MAP1, potentially leading to an out-of-bounds write (CWE-787). The vulnerability manifests as a UBSAN warning during network interface initialization, such as when NetworkManager or similar processes open the stmmac device.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) by triggering network interface setup operations, such as using commands like ip link set to open the device. Successful exploitation can achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8, likely through memory corruption from the out-of-bounds write during stmmac_hw_setup and related functions.
Mitigation is provided through upstream kernel patches in the stable repository, including commits such as 508d86ead36cbd8dfb60773a33276790d668c473, 573768dede0e2b7de38ecbc11cb3ee47643902dc, 613b065ca32e90209024ec4a6bb5ca887ee70980, 7c687a893f5cae5ca40d189635602e93af9bab73, and a3ac79f38d354b10925824899cdbd2caadce55ba. These fixes correct the MTL_RXQ_DMA_MAP1 mask issue and channel/queue mapping. Affected systems using Linux kernel 5.15 and similar versions with stmmac (e.g., on Intel IoTG hardware) should apply these updates. Additional details are available in Bugzilla ticket 216195.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54640
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix dma queue left shift overflow issue When queue number is > 4, left shift overflows due to 32 bits integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.…
more
If CONFIG_UBSAN is enabled, kernel dumps below warning: [ 10.363842] ================================================================== [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 [ 10.363958] Call Trace: [ 10.363960] <TASK> [ 10.363963] dump_stack_lvl+0x4a/0x5f [ 10.363971] dump_stack+0x10/0x12 [ 10.363974] ubsan_epilogue+0x9/0x45 [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e [ 10.363979] ? wake_up_klogd+0x4a/0x50 [ 10.363983] ? vprintk_emit+0x8f/0x240 [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] [ 10.364050] __dev_open+0xf0/0x1a0 [ 10.364054] __dev_change_flags+0x188/0x1f0 [ 10.364057] dev_change_flags+0x26/0x60 [ 10.364059] do_setlink+0x908/0xc40 [ 10.364062] ? do_setlink+0xb10/0xc40 [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 [ 10.364068] __rtnl_newlink+0x597/0xa10 [ 10.364072] ? __nla_reserve+0x41/0x50 [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 [ 10.364079] ? pskb_expand_head+0x75/0x310 [ 10.364082] ? nla_reserve_64bit+0x21/0x40 [ 10.364086] ? skb_free_head+0x65/0x80 [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 [ 10.364094] ? __cond_resched+0x19/0x30 [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 [ 10.364100] rtnl_newlink+0x49/0x70 This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue mapping warning. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel out-of-bounds write in stmmac driver enables local memory corruption exploitable via low-priv network interface commands for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and patching of the kernel flaw in the stmmac driver to eliminate the shift-out-of-bounds vulnerability.
Requires vulnerability scanning to identify systems with vulnerable Linux kernel versions affected by CVE-2022-49592 in the stmmac Ethernet driver.
Provides memory protections like ASLR and non-executable pages that mitigate exploitation of the out-of-bounds write in the stmmac DMA queue mapping.