CVE-2022-48638: cgroup: cgroup_get_from_id() must check the looked-up kn is a directory
In the Linux kernel, the following vulnerability has been resolved:
cgroup: cgroup_get_from_id() must check the looked-up kn is a directory
cgroup has to be one kernfs dir, otherwise kernel panic is caused,
especially cgroup id is provide from userspace.
Security readout for executives and security teams
Plain-English summary
A local user can trigger unsafe Linux kernel cgroup handling when a user-provided cgroup ID resolves to a non-directory kernfs node. The cited impact is a kernel panic, with limited confidentiality, integrity, and availability impact scored by CVSS.
Executive priority
Treat as a normal-priority kernel maintenance item unless affected systems host untrusted users or shared workloads. It is not cited as actively exploited, but kernel panics can disrupt business services.
Technical view
The flaw is in Linux kernel cgroup_get_from_id(). The fix requires verifying that the looked-up kernfs node is a directory before treating it as a cgroup. The CVE lists local, low-complexity, low-privilege access with no user interaction.
Likely exposure
Exposure is most relevant on Linux systems running affected kernel builds, especially shared, multi-user, or container-heavy hosts where untrusted local users exist. Distribution backports may change exposure.
Exploitation context
The bundle does not cite active exploitation, and KEV is false. The described attack context is local authenticated access, not remote unauthenticated exploitation.
Researcher notes
Evidence is limited to the CVE record and kernel stable references. The affected-version data is sparse, so rely on distribution advisories and commit inclusion checks rather than raw upstream version assumptions.
Mitigation direction
Update Linux kernel packages using vendor or distribution guidance.
Confirm the deployed kernel includes the referenced stable cgroup fixes.
Prioritize shared hosts, container platforms, and systems with untrusted local users.
Reduce unnecessary local account access until patched.
Track distro advisories for backported fixes and affected package versions.
Validation and detection
Inventory Linux kernel versions across servers and container hosts.
Compare installed packages against vendor advisories for CVE-2022-48638.
Check kernel changelogs for the referenced stable commit IDs.
Validate that patched systems rebooted into the updated kernel.
Document any unsupported or end-of-life kernels requiring replacement.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48638 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.