LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48853: Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""

In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and the buffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). This mapping involves bouncing via the swiotlb (we need swiotlb to do virtio in protected guest like s390 Secure Execution, or AMD SEV). 4) When the SCSI TUR is done, we first copy back the content of the second (that is swiotlb) bounce buffer (which most likely contains some previous IO data), to the first bounce buffer, which contains all zeros. Then we copy back the content of the first bounce buffer to the user-space buffer. 5) The test case detects that the buffer, which it zero-initialized, ain't all zeros and fails. One can argue that this is an swiotlb problem, because without swiotlb we leak all zeros, and the swiotlb should be transparent in a sense that it does not affect the outcome (if all other participants are well behaved). Copying the content of the original buffer into the swiotlb buffer is the only way I can think of to make swiotlb transparent in such scenarios. So let's do just that if in doubt, but allow the driver to tell us that the whole mapped buffer is going to be overwritten, in which case we can preserve the old behavior and avoid the performance impact of the extra bounce.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2022-48853 is a Linux kernel information leak involving DMA bounce buffers. In specific storage I/O paths, data left in a SWIOTLB bounce buffer could be copied back to user space instead of zeros. The source describes a kernel fix, but provides no CVSS score or evidence of active exploitation.

Executive priority

Treat this as a targeted kernel information-disclosure risk, not an emergency remote-execution event. Prioritize patching for virtualization hosts and protected guest environments where SWIOTLB is expected, then handle remaining Linux fleets through normal kernel maintenance.

Technical view

The issue affects Linux SWIOTLB handling for DMA_FROM_DEVICE mappings. A SCSI SG_IO TEST UNIT READY request can prepare a receive buffer that the device does not overwrite. With virtio-scsi and SWIOTLB, stale bounce-buffer contents may be copied back to user space. The fix restores copying the original buffer into SWIOTLB when overwrite is uncertain.

Likely exposure

Most relevant exposure is Linux systems using SWIOTLB-dependent I/O paths, especially protected guest virtualization scenarios mentioned in the source such as s390 Secure Execution or AMD SEV with virtio-scsi. The bundle lists multiple affected Linux kernel versions but does not provide distribution-specific package status.

Exploitation context

The bundle describes a local information disclosure pattern discovered by testing, not remote compromise. KEV is false, and no cited source in the bundle reports active exploitation. Successful impact appears dependent on access to the relevant SCSI SG_IO path and a SWIOTLB bounce-buffer configuration.

Researcher notes

Evidence is strongest for a SWIOTLB transparency bug triggered through SCSI SG_IO behavior where the device does not overwrite a DMA_FROM_DEVICE buffer. The public bundle lacks CVSS, CWE, exploit reports, and distro-level fix mapping, so validation should focus on kernel lineage and vendor backports.

Mitigation direction

  • Apply Linux kernel updates that include the referenced stable SWIOTLB fixes.
  • Check distribution advisories for CVE-2022-48853 package status.
  • Prioritize protected guest and virtio-scsi environments using SWIOTLB.
  • Limit unnecessary untrusted access to SCSI generic interfaces.
  • Track vendor guidance if fixed package availability is unclear.

Validation and detection

  • Inventory Linux kernel versions against affected versions in the CVE bundle.
  • Confirm vendor kernels include CVE-2022-48853 or the SWIOTLB fix commits.
  • Identify hosts using virtio-scsi, protected virtualization, or SWIOTLB-heavy I/O paths.
  • Review exposure of SG_IO-capable device interfaces to untrusted users.
  • Use vendor-supported regression testing where kernel updates are staged.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48853 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
18Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2unaffected
LinuxLinux2.6.12, 0, 4.9.320, 4.14.281, 4.19.245, 5.4.196, 5.10.118, 5.15.33, 5.16.19, 5.17.2, 5.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.