CVE-2022-48807: ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler
Currently, the same handler is called for both a NETDEV_BONDING_INFO
LAG unlink notification as for a NETDEV_UNREGISTER call. This is
causing a problem though, since the netdev_notifier_info passed has
a different structure depending on which event is passed. The problem
manifests as a call trace from a BUG: KASAN stack-out-of-bounds error.
Fix this by creating a handler specific to NETDEV_UNREGISTER that only
is passed valid elements in the netdev_notifier_info struct for the
NETDEV_UNREGISTER event.
Also included is the removal of an unbalanced dev_put on the peer_netdev
and related braces.
Security readout for executives and security teams
Plain-English summary
CVE-2022-48807 is a Linux kernel issue in the Intel ice network driver. Certain link aggregation or device unregister events can trigger an invalid stack access detected by KASAN. The public record does not show active exploitation or a CVSS score. Treat this as a kernel stability risk for systems using the affected driver and LAG features.
Executive priority
Schedule remediation through normal kernel patch cycles, with higher priority for production systems using Intel ice adapters and LAG. There is no public evidence of active exploitation, but kernel bugs affecting network drivers can create availability risk in sensitive environments.
Technical view
The ice driver reused a LAG unlink notifier handler for NETDEV_UNREGISTER, although the netdev_notifier_info structure differs by event type. This caused a KASAN stack-out-of-bounds BUG trace. The fix adds a NETDEV_UNREGISTER-specific handler and removes an unbalanced dev_put on peer_netdev.
Likely exposure
Exposure appears limited to Linux kernels in the affected ranges and configurations using the ice Ethernet driver, especially with bonding or LAG operations. The CVE record lists Linux 5.15, versions before 5.15.24, before 5.16.10, and 5.17 as affected, plus specific kernel commits.
Exploitation context
No cited source reports active exploitation, public exploit availability, or KEV listing. The described failure is triggered by kernel network device notification handling during LAG unlink or unregister events, suggesting operational or local configuration context rather than broad remote exposure.
Researcher notes
Evidence is limited to the kernel fix description and references. No CVSS, CWE, exploit status, or detailed attacker prerequisites are provided in the source bundle. Analysis should focus on affected kernel lineage, ice driver use, and whether distribution kernels have backported the stable commits.
Mitigation direction
Update to a kernel containing the referenced stable fixes or a vendor backport.
Check Linux distribution advisories for packaged kernel fixes.
Prioritize systems using Intel ice NICs with bonding or LAG.
If immediate update is not possible, reduce unnecessary LAG reconfiguration until patched.
Validation and detection
Inventory Linux kernel versions against the CVE affected ranges.
Identify hosts loading or using the ice network driver.
Check whether bonding or LAG is configured on those hosts.
Confirm the installed kernel includes one of the referenced stable commits or vendor backport.
Review kernel logs for KASAN BUG traces related to ice LAG unregister handling.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48807 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.