LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48850: net-sysfs: add check for netdevice being present to speed_show

In the Linux kernel, the following vulnerability has been resolved: net-sysfs: add check for netdevice being present to speed_show When bringing down the netdevice or system shutdown, a panic can be triggered while accessing the sysfs path because the device is already removed. [ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called [ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called ... [ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null) [ 758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280 crash> bt ... PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: "amsd" ... #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778 [exception RIP: dma_pool_alloc+0x1ab] RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046 RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000 RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090 RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00 R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0 R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core] #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core] #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core] #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core] #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core] #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core] #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core] #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46 #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208 #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3 #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596 #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10 #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5 #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92 crash> net_device.state ffff89443b0c0000 state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER) To prevent this scenario, we also make sure that the netdevice is present.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can crash a system when software reads a network device speed value from sysfs while that device is being removed or the system is shutting down. The public record describes a kernel panic, so the main business concern is availability, not data theft.

Executive priority

Treat as a targeted availability risk. Prioritize normal kernel maintenance for exposed Linux fleets, especially infrastructure where unexpected reboots or panics affect service reliability. Escalate only if internal crash evidence appears.

Technical view

The flaw is in net-sysfs speed_show. During netdevice teardown, the code could query ethtool link settings after the device was no longer present, leading to a NULL pointer dereference path and panic. The fix adds a presence check before accessing the device.

Likely exposure

Exposure is limited to Linux systems running affected kernel versions where local software or monitoring agents read network sysfs speed data during interface removal or shutdown. The bundle names Linux kernels and stable kernel fixes, but does not identify specific distributions or packaged kernel builds.

Exploitation context

The source bundle does not report active exploitation, public weaponization, KEV listing, CVSS, or remote reachability. The described scenario involves a race during device shutdown/removal and sysfs access, with observed impact as a kernel panic.

Researcher notes

Evidence supports a kernel NULL dereference/panic in speed_show during netdevice teardown. The bundle does not establish attacker privileges, remote triggerability, CVSS, distribution package status, or exploit availability. Avoid assuming more than availability impact without vendor data.

Mitigation direction

  • Identify Linux kernel versions across servers, appliances, and cloud images.
  • Check vendor or distribution advisories for backported fixes for CVE-2022-48850.
  • Prioritize kernel updates on systems with frequent NIC changes or aggressive monitoring agents.
  • Review monitoring that reads network sysfs speed during shutdown or interface removal.

Validation and detection

  • Confirm kernel package version against vendor guidance or upstream stable fix levels.
  • Check crash logs for panics involving speed_show, ethtool link settings, or mlx5_core teardown.
  • Inventory agents that read /sys/class/net device speed attributes.
  • Verify updated kernels include the net-sysfs presence check fix.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48850 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd519e17e2d01a0ee9abe083019532061b4438065, d519e17e2d01a0ee9abe083019532061b4438065, d519e17e2d01a0ee9abe083019532061b4438065, d519e17e2d01a0ee9abe083019532061b4438065, d519e17e2d01a0ee9abe083019532061b4438065, d519e17e2d01a0ee9abe083019532061b4438065, d519e17e2d01a0ee9abe083019532061b4438065, d519e17e2d01a0ee9abe083019532061b4438065unaffected
LinuxLinux2.6.33, 0, 4.9.307, 4.14.272, 4.19.235, 5.4.185, 5.10.106, 5.15.29, 5.16.15, 5.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.