LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48807: ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler

In the Linux kernel, the following vulnerability has been resolved: ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler Currently, the same handler is called for both a NETDEV_BONDING_INFO LAG unlink notification as for a NETDEV_UNREGISTER call. This is causing a problem though, since the netdev_notifier_info passed has a different structure depending on which event is passed. The problem manifests as a call trace from a BUG: KASAN stack-out-of-bounds error. Fix this by creating a handler specific to NETDEV_UNREGISTER that only is passed valid elements in the netdev_notifier_info struct for the NETDEV_UNREGISTER event. Also included is the removal of an unbalanced dev_put on the peer_netdev and related braces.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2022-48807 is a Linux kernel issue in the Intel ice network driver. Certain link aggregation or device unregister events can trigger an invalid stack access detected by KASAN. The public record does not show active exploitation or a CVSS score. Treat this as a kernel stability risk for systems using the affected driver and LAG features.

Executive priority

Schedule remediation through normal kernel patch cycles, with higher priority for production systems using Intel ice adapters and LAG. There is no public evidence of active exploitation, but kernel bugs affecting network drivers can create availability risk in sensitive environments.

Technical view

The ice driver reused a LAG unlink notifier handler for NETDEV_UNREGISTER, although the netdev_notifier_info structure differs by event type. This caused a KASAN stack-out-of-bounds BUG trace. The fix adds a NETDEV_UNREGISTER-specific handler and removes an unbalanced dev_put on peer_netdev.

Likely exposure

Exposure appears limited to Linux kernels in the affected ranges and configurations using the ice Ethernet driver, especially with bonding or LAG operations. The CVE record lists Linux 5.15, versions before 5.15.24, before 5.16.10, and 5.17 as affected, plus specific kernel commits.

Exploitation context

No cited source reports active exploitation, public exploit availability, or KEV listing. The described failure is triggered by kernel network device notification handling during LAG unlink or unregister events, suggesting operational or local configuration context rather than broad remote exposure.

Researcher notes

Evidence is limited to the kernel fix description and references. No CVSS, CWE, exploit status, or detailed attacker prerequisites are provided in the source bundle. Analysis should focus on affected kernel lineage, ice driver use, and whether distribution kernels have backported the stable commits.

Mitigation direction

  • Update to a kernel containing the referenced stable fixes or a vendor backport.
  • Check Linux distribution advisories for packaged kernel fixes.
  • Prioritize systems using Intel ice NICs with bonding or LAG.
  • If immediate update is not possible, reduce unnecessary LAG reconfiguration until patched.

Validation and detection

  • Inventory Linux kernel versions against the CVE affected ranges.
  • Identify hosts loading or using the ice network driver.
  • Check whether bonding or LAG is configured on those hosts.
  • Confirm the installed kernel includes one of the referenced stable commits or vendor backport.
  • Review kernel logs for KASAN BUG traces related to ice LAG unregister handling.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48807 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux6a8b357278f5f8b9817147277ab8f12879dce8a8, 6a8b357278f5f8b9817147277ab8f12879dce8a8, 6a8b357278f5f8b9817147277ab8f12879dce8a8, e83b3cce4722b880c277d44b13eebf2548cb2ebbunaffected
LinuxLinux5.15, 0, 5.15.24, 5.16.10, 5.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.