Cyber Resilience

CVE-2022-49687

High

Published: 26 February 2025

Published
26 February 2025
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0006 19.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49687 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49687 is a vulnerability in the Linux kernel's virtio_net driver, specifically affecting the handling of XDP receive queue information (xdp_rxq_info) during suspend and resume operations. The issue arises because the virtnet_freeze() function frees the receive queue, including the xdp_rxq_info structure, without calling xdp_rxq_info_unreg(), while virtnet_restore() recreates the queue without xdp_rxq_info_reg(). This leads to a driver bug warning when performing operations like bringing a virtio_net interface up, suspending the system (e.g., to memory), resuming, and then taking the interface down.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access to manage network interfaces and trigger suspend/resume. Successful exploitation triggers a kernel warning in xdp_rxq_info_unreg(), potentially resulting in high confidentiality impact (C:H) through unauthorized data access and high availability impact (A:H) via denial of service, as scored at CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

Kernel stable patches address the issue by invoking virtnet_close() and virtnet_open() from the freeze and restore handlers, ensuring proper xdp_rxq_info_(un)reg() calls; these also align the logic with interface open/close operations while handling refill work appropriately for running interfaces. Relevant commits are available at https://git.kernel.org/stable/c/340fbdc8011f2dc678f622c5ce1cbb5ab8305de7, https://git.kernel.org/stable/c/57ee40f1b198b59d43c216fbc4672f9300d3c8b0, https://git.kernel.org/stable/c/8af52fe9fd3bf5e7478da99193c0632276e1dfce, https://git.kernel.org/stable/c/8c7a32b7c15555beddc5810c3334d9cefff061bf, and https://git.kernel.org/stable/c/8d7fe9ad6fddc2af8bde4b921b4f8fab231ed38c.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix xdp_rxq_info bug after suspend/resume The following sequence currently causes a driver bug warning when using virtio_net: # ip link set eth0 up # echo mem > /sys/power/state (or…

more

e.g. # rtcwake -s 10 -m mem) <resume> # ip link set eth0 down Missing register, driver bug WARNING: CPU: 0 PID: 375 at net/core/xdp.c:138 xdp_rxq_info_unreg+0x58/0x60 Call trace: xdp_rxq_info_unreg+0x58/0x60 virtnet_close+0x58/0xac __dev_close_many+0xac/0x140 __dev_change_flags+0xd8/0x210 dev_change_flags+0x24/0x64 do_setlink+0x230/0xdd0 ... This happens because virtnet_freeze() frees the receive_queue completely (including struct xdp_rxq_info) but does not call xdp_rxq_info_unreg(). Similarly, virtnet_restore() sets up the receive_queue again but does not call xdp_rxq_info_reg(). Actually, parts of virtnet_freeze_down() and virtnet_restore_up() are almost identical to virtnet_close() and virtnet_open(): only the calls to xdp_rxq_info_(un)reg() are missing. This means that we can fix this easily and avoid such problems in the future by just calling virtnet_close()/open() from the freeze/restore handlers. Aside from adding the missing xdp_rxq_info calls the only difference is that the refill work is only cancelled if netif_running(). However, this should not make any functional difference since the refill work should only be active if the network interface is actually up.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel driver flaw in virtio_net/XDP handling directly enables unauthorized local data access (T1005) and system/application DoS via triggered warnings or instability (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-49623Same product: Linux Linux Kernel
CVE-2026-31513Same product: Linux Linux Kernel
CVE-2026-23315Same product: Linux Linux Kernel
CVE-2024-58015Same product: Linux Linux Kernel
CVE-2026-31771Same product: Linux Linux Kernel
CVE-2026-23187Same product: Linux Linux Kernel
CVE-2026-23424Same product: Linux Linux Kernel
CVE-2024-58007Same product: Linux Linux Kernel
CVE-2025-21742Same product: Linux Linux Kernel
CVE-2024-58014Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · 4.16 — 4.19.250 · 4.20 — 5.4.202 · 5.5 — 5.10.127

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the vulnerability by applying kernel stable patches that properly invoke xdp_rxq_info registration and unregistration during virtio_net suspend/resume operations.

detect

Vulnerability scanning identifies the unpatched Linux kernel virtio_net driver susceptible to improper xdp_rxq_info handling during suspend/resume.

detect

Monitoring kernel security alerts and advisories ensures awareness of CVE-2022-49687 and prompts timely patching of the virtio_net flaw.

References