CVE-2022-48651: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
In the Linux kernel, the following vulnerability has been resolved:
ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
If an AF_PACKET socket is used to send packets through ipvlan and the
default xmit function of the AF_PACKET socket is changed from
dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option
name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and
remains as the initial value of 65535, this may trigger slab-out-of-bounds
bugs as following:
=================================================================
UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6
ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33
all Trace:
print_address_description.constprop.0+0x1d/0x160
print_report.cold+0x4f/0x112
kasan_report+0xa3/0x130
ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
ipvlan_start_xmit+0x29/0xa0 [ipvlan]
__dev_direct_xmit+0x2e2/0x380
packet_direct_xmit+0x22/0x60
packet_snd+0x7c9/0xc40
sock_sendmsg+0x9a/0xa0
__sys_sendto+0x18a/0x230
__x64_sys_sendto+0x74/0x90
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The root cause is:
1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW
and skb->protocol is not specified as in packet_parse_headers()
2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()
In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is
called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which
use "skb->head + skb->mac_header", out-of-bound access occurs.
This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()
and reset mac header in multicast to solve this out-of-bound bug.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel memory-safety bug in ipvlan packet handling. A local packet-sending path can leave a packet header pointer unset, causing out-of-bounds kernel memory access. The cited CVSS score is 7.7 because integrity and availability impact are high, but the attack vector is local.
Executive priority
Treat as a high-priority kernel maintenance item for Linux infrastructure, especially container or network-heavy hosts. There is no cited active exploitation, so emergency response depends on local exposure and privilege boundaries, but kernel compromise paths can have severe operational impact.
Technical view
When AF_PACKET sends through ipvlan with PACKET_QDISC_BYPASS, packet_direct_xmit() may not reset skb->mac_header. ipvlan_xmit_mode_l2() then uses eth_hdr() against a 65535 mac_header value, triggering slab out-of-bounds access. Kernel stable fixes replace eth_hdr() with skb_eth_hdr() and reset the multicast mac header path.
Likely exposure
Exposure is most plausible on Linux systems using affected kernel versions with ipvlan enabled and local ability to exercise AF_PACKET packet transmission paths. Containers or workloads with packet socket capability may be relevant, but the provided sources do not define exact distribution package exposure.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation. The described trigger is local and specific: AF_PACKET traffic through ipvlan with PACKET_QDISC_BYPASS. Do not treat this as internet-remote based on the provided evidence.
Researcher notes
Evidence is strongest for root cause and upstream stable fixes. The public description includes KASAN slab-out-of-bounds in ipvlan_xmit_mode_l2 via packet_direct_xmit. Distribution-specific affected ranges, exploitability constraints, and real-world abuse are not established in the provided bundle.
Mitigation direction
Update Linux kernels using vendor advisories or referenced stable kernel fixes.
Prioritize hosts using ipvlan, container networking, or packet socket capabilities.
Review whether workloads can create AF_PACKET sockets or use CAP_NET_RAW.
Check distribution kernel backport status before assuming version strings are vulnerable.
Monitor vendor security notices for operational mitigations or package-specific guidance.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and container hosts.
Identify systems using the ipvlan kernel module or ipvlan-based networking.
Review container and workload permissions for AF_PACKET or CAP_NET_RAW access.
Confirm patched status against vendor errata, not only upstream kernel numbers.
Track remediation evidence in vulnerability management records.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-125: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-125 · source CWE mapping
Out-of-bounds Read
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.