CVE-2022-48659: mm/slub: fix to return errno if kmalloc() fails
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: fix to return errno if kmalloc() fails
In create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to
out-of-memory, if it fails, return errno correctly rather than
triggering panic via BUG_ON();
kernel BUG at mm/slub.c:5893!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Call trace:
sysfs_slab_add+0x258/0x260 mm/slub.c:5973
__kmem_cache_create+0x60/0x118 mm/slub.c:4899
create_cache mm/slab_common.c:229 [inline]
kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335
kmem_cache_create+0x1c/0x28 mm/slab_common.c:390
f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]
f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808
f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149
mount_bdev+0x1b8/0x210 fs/super.c:1400
f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512
legacy_get_tree+0x30/0x74 fs/fs_context.c:610
vfs_get_tree+0x40/0x140 fs/super.c:1530
do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
path_mount+0x358/0x914 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel availability flaw. If a specific memory allocation fails, the kernel could crash instead of returning an error. The public sources support a denial-of-service concern, not data theft or remote code execution.
Executive priority
Treat this as a stability and availability issue. Patch through normal kernel maintenance, with higher priority for shared Linux hosts, storage systems, and environments exposed to untrusted local users.
Technical view
In mm/slub create_unique_id(), a failing kmalloc(..., GFP_KERNEL) could reach BUG_ON() and trigger a kernel Oops. The cited trace shows this through slab cache creation during an f2fs mount path. Stable kernel commits change the behavior to return errno correctly.
Likely exposure
Exposure is limited to systems running affected Linux kernel versions or unfixed downstream builds. The bundle lists Linux kernels from 2.6.22 through several stable branches as affected. Distribution-specific package status is not provided.
Exploitation context
No KEV listing is present, and the source bundle does not cite active exploitation. Evidence indicates a crash condition when memory allocation fails during kernel slab cache creation, not a confirmed remotely exploitable issue.
Researcher notes
The evidence is narrow: a kmalloc failure in create_unique_id() led to BUG_ON-triggered panic. The provided call trace involves f2fs, but the fix is in mm/slub, so validation should focus on kernel patch status rather than only f2fs usage.
Mitigation direction
Update to a kernel build containing the referenced stable fixes.
Check Linux distribution advisories for the exact fixed package version.
Prioritize systems where local users can mount filesystems or trigger kernel cache creation.
Monitor hosts for kernel Oops or panic events matching mm/slub or sysfs_slab_add.
Validation and detection
Inventory running kernel versions across Linux servers and appliances.
Map each kernel to vendor advisories or the referenced stable commits.
Review crash logs for BUG_ON, mm/slub, sysfs_slab_add, or f2fs mount traces.
Confirm patched systems no longer match the affected kernel version range.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48659 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.