LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48823: scsi: qedf: Fix refcount issue when LOGO is received during TMF

In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix refcount issue when LOGO is received during TMF Hung task call trace was seen during LOGO processing. [ 974.309060] [0000:00:00.0]:[qedf_eh_device_reset:868]: 1:0:2:0: LUN RESET Issued... [ 974.309065] [0000:00:00.0]:[qedf_initiate_tmf:2422]: tm_flags 0x10 sc_cmd 00000000c16b930f op = 0x2a target_id = 0x2 lun=0 [ 974.309178] [0000:00:00.0]:[qedf_initiate_tmf:2431]: portid=016900 tm_flags =LUN RESET [ 974.309222] [0000:00:00.0]:[qedf_initiate_tmf:2438]: orig io_req = 00000000ec78df8f xid = 0x180 ref_cnt = 1. [ 974.309625] host1: rport 016900: Received LOGO request while in state Ready [ 974.309627] host1: rport 016900: Delete port [ 974.309642] host1: rport 016900: work event 3 [ 974.309644] host1: rport 016900: lld callback ev 3 [ 974.313243] [0000:61:00.2]:[qedf_execute_tmf:2383]:1: fcport is uploading, not executing flush. [ 974.313295] [0000:61:00.2]:[qedf_execute_tmf:2400]:1: task mgmt command success... [ 984.031088] INFO: task jbd2/dm-15-8:7645 blocked for more than 120 seconds. [ 984.031136] Not tainted 4.18.0-305.el8.x86_64 #1 [ 984.031166] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 984.031209] jbd2/dm-15-8 D 0 7645 2 0x80004080 [ 984.031212] Call Trace: [ 984.031222] __schedule+0x2c4/0x700 [ 984.031230] ? unfreeze_partials.isra.83+0x16e/0x1a0 [ 984.031233] ? bit_wait_timeout+0x90/0x90 [ 984.031235] schedule+0x38/0xa0 [ 984.031238] io_schedule+0x12/0x40 [ 984.031240] bit_wait_io+0xd/0x50 [ 984.031243] __wait_on_bit+0x6c/0x80 [ 984.031248] ? free_buffer_head+0x21/0x50 [ 984.031251] out_of_line_wait_on_bit+0x91/0xb0 [ 984.031257] ? init_wait_var_entry+0x50/0x50 [ 984.031268] jbd2_journal_commit_transaction+0x112e/0x19f0 [jbd2] [ 984.031280] kjournald2+0xbd/0x270 [jbd2] [ 984.031284] ? finish_wait+0x80/0x80 [ 984.031291] ? commit_timeout+0x10/0x10 [jbd2] [ 984.031294] kthread+0x116/0x130 [ 984.031300] ? kthread_flush_work_fn+0x10/0x10 [ 984.031305] ret_from_fork+0x1f/0x40 There was a ref count issue when LOGO is received during TMF. This leads to one of the I/Os hanging with the driver. Fix the ref count.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2022-48823 is a Linux kernel driver availability issue. During Fibre Channel logout handling while task management is running, a reference-counting bug can leave an I/O stuck in the qedf SCSI path. For affected storage hosts, the business risk is hung I/O and service disruption, not proven data theft or code execution.

Executive priority

Treat as a targeted availability risk for Linux storage infrastructure, especially where hung I/O can affect databases or critical services. Prioritize validation on hosts using the affected driver before broad emergency action.

Technical view

The issue is in the Linux kernel qedf SCSI driver. When LOGO is received during TMF, incorrect reference counting can cause one I/O to hang in the driver, with hung task traces involving journal commit work. The kernel stable references indicate fixes were committed, but the bundle does not provide CVSS, CWE, or a full version matrix.

Likely exposure

Exposure is most likely on Linux systems running affected kernels where the qedf SCSI driver and relevant storage/Fibre Channel paths are in use. Systems not using this driver path are less likely to be exposed, but the bundle does not provide distribution-specific package status.

Exploitation context

The provided sources do not show CISA KEV listing, active exploitation, public exploit code, or remote attack details. The observed trigger is LOGO processing during TMF, suggesting an operational storage-path failure condition rather than a documented attacker workflow.

Researcher notes

The evidence supports a qedf refcount bug causing hung I/O during LOGO and TMF interaction. Severity metadata is incomplete: no CVSS, CWE, exploit status, or distribution-specific fixed versions are supplied. Research should focus on mapping stable commits to deployed kernels and vendor backports.

Mitigation direction

  • Review vendor or distribution kernel advisories for CVE-2022-48823 applicability.
  • Update to a kernel build containing the referenced stable qedf refcount fix.
  • Prioritize systems using qedf-backed storage paths or showing hung I/O symptoms.
  • Avoid direct wrangling of storage drivers without vendor-supported maintenance procedures.

Validation and detection

  • Inventory Linux hosts and kernel versions against vendor CVE status.
  • Check whether the qedf driver is loaded or used on production storage paths.
  • Review kernel logs for qedf LOGO, TMF, hung task, or blocked I/O messages.
  • Confirm patched kernels include one of the referenced stable commits or vendor backports.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48823 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux61d8658b4a435eac729966cc94cdda077a8df5cd, 61d8658b4a435eac729966cc94cdda077a8df5cd, 61d8658b4a435eac729966cc94cdda077a8df5cd, 61d8658b4a435eac729966cc94cdda077a8df5cd, 61d8658b4a435eac729966cc94cdda077a8df5cdunaffected
LinuxLinux4.11, 0, 5.4.180, 5.10.101, 5.15.24, 5.16.10, 5.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.