LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48651: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following: ================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers() 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use "skb->head + skb->mac_header", out-of-bound access occurs. This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug.

HighCVSS 7.7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel memory-safety bug in ipvlan packet handling. A local packet-sending path can leave a packet header pointer unset, causing out-of-bounds kernel memory access. The cited CVSS score is 7.7 because integrity and availability impact are high, but the attack vector is local.

Executive priority

Treat as a high-priority kernel maintenance item for Linux infrastructure, especially container or network-heavy hosts. There is no cited active exploitation, so emergency response depends on local exposure and privilege boundaries, but kernel compromise paths can have severe operational impact.

Technical view

When AF_PACKET sends through ipvlan with PACKET_QDISC_BYPASS, packet_direct_xmit() may not reset skb->mac_header. ipvlan_xmit_mode_l2() then uses eth_hdr() against a 65535 mac_header value, triggering slab out-of-bounds access. Kernel stable fixes replace eth_hdr() with skb_eth_hdr() and reset the multicast mac header path.

Likely exposure

Exposure is most plausible on Linux systems using affected kernel versions with ipvlan enabled and local ability to exercise AF_PACKET packet transmission paths. Containers or workloads with packet socket capability may be relevant, but the provided sources do not define exact distribution package exposure.

Exploitation context

The source bundle does not show CISA KEV listing or active exploitation. The described trigger is local and specific: AF_PACKET traffic through ipvlan with PACKET_QDISC_BYPASS. Do not treat this as internet-remote based on the provided evidence.

Researcher notes

Evidence is strongest for root cause and upstream stable fixes. The public description includes KASAN slab-out-of-bounds in ipvlan_xmit_mode_l2 via packet_direct_xmit. Distribution-specific affected ranges, exploitability constraints, and real-world abuse are not established in the provided bundle.

Mitigation direction

  • Update Linux kernels using vendor advisories or referenced stable kernel fixes.
  • Prioritize hosts using ipvlan, container networking, or packet socket capabilities.
  • Review whether workloads can create AF_PACKET sockets or use CAP_NET_RAW.
  • Check distribution kernel backport status before assuming version strings are vulnerable.
  • Monitor vendor security notices for operational mitigations or package-specific guidance.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and container hosts.
  • Identify systems using the ipvlan kernel module or ipvlan-based networking.
  • Review container and workload permissions for AF_PACKET or CAP_NET_RAW access.
  • Confirm patched status against vendor errata, not only upstream kernel numbers.
  • Track remediation evidence in vulnerability management records.
Prepared
Confidence
high
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-125: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2022-48651 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.7 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.7CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H2.55.2CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

7.7High
CVSS 3.1 vector shape for CVE-2022-48651Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux2ad7bf3638411cb547f2823df08166c13ab04269, 2ad7bf3638411cb547f2823df08166c13ab04269, 2ad7bf3638411cb547f2823df08166c13ab04269, 2ad7bf3638411cb547f2823df08166c13ab04269, 2ad7bf3638411cb547f2823df08166c13ab04269, 2ad7bf3638411cb547f2823df08166c13ab04269, 2ad7bf3638411cb547f2823df08166c13ab04269, 2ad7bf3638411cb547f2823df08166c13ab04269unaffected
LinuxLinux3.19, 0, 4.9.330, 4.14.295, 4.19.260, 5.4.215, 5.10.146, 5.15.71, 5.19.12, 6.0affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-125 · source CWE mapping

Out-of-bounds Read

Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.