CVE-2022-48655: firmware: arm_scmi: Harden accesses to the reset domains
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_scmi: Harden accesses to the reset domains
Accessing reset domains descriptors by the index upon the SCMI drivers
requests through the SCMI reset operations interface can potentially
lead to out-of-bound violations if the SCMI driver misbehave.
Add an internal consistency check before any such domains descriptors
accesses.
Security readout for executives and security teams
Plain-English summary
This Linux kernel flaw can let a faulty or unexpected SCMI reset-domain request access reset-domain data outside valid bounds. On affected ARM-oriented systems, that creates risk to confidentiality, integrity, and availability. The sources show kernel hardening fixes, but no evidence of active exploitation or a named workaround.
Executive priority
Treat this as a high-priority kernel maintenance issue for ARM/Linux fleets and affected appliances. There is no supplied evidence of active exploitation, but the impact rating is high and remediation should be tracked through normal emergency or accelerated patch governance.
Technical view
CVE-2022-48655 is a CWE-125 out-of-bounds access issue in Linux firmware arm_scmi reset-domain handling. The kernel fix adds an internal consistency check before reset-domain descriptor access by index. The CVSS 3.1 score is 8.1 with high complexity and no required privileges or user interaction.
Likely exposure
Exposure is most relevant to Linux systems or appliances using ARM SCMI firmware reset-domain functionality. The bundle names Linux kernel versions and includes Debian LTS and NetApp advisories, but exact product and package impact must be confirmed through each vendor's guidance.
Exploitation context
The CVE is not listed as KEV in the supplied bundle, and no cited source states active exploitation. Exploitation details are not provided. The described condition depends on SCMI driver behavior and invalid reset-domain index handling, so practical exploitability is unclear from these sources.
Researcher notes
The source bundle provides the vulnerability cause, CWE, CVSS, affected Linux version data, and stable commit references. It does not provide exploitability analysis, proof of concept, runtime indicators, or complete downstream package mappings. Validate exposure through kernel configuration, code provenance, and vendor advisories.
Mitigation direction
Update affected Linux kernels to vendor-supported builds containing the referenced stable fixes.
Check Debian, NetApp, and other vendor advisories for package-specific remediation guidance.
Prioritize ARM platforms and appliances that rely on SCMI firmware reset controls.
If patching is delayed, follow vendor guidance; no source-provided workaround is named.
Validation and detection
Inventory Linux kernel versions and vendor appliance firmware against the CVE record.
Confirm whether ARM SCMI reset-domain support is present and in use.
Verify patched builds include the referenced kernel stable commits or vendor backports.
Review vendor advisories for distribution-specific fixed package versions.
Document any systems where applicability cannot be confirmed from available evidence.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-125: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
2ADP providers
8Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-125 · source CWE mapping
Out-of-bounds Read
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.