CVE-2022-48858: net/mlx5: Fix a race on command flush flow
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix a race on command flush flow
Fix a refcount use after free warning due to a race on command entry.
Such race occurs when one of the commands releases its last refcount and
frees its index and entry while another process running command flush
flow takes refcount to this command entry. The process which handles
commands flush may see this command as needed to be flushed if the other
process released its refcount but didn't release the index yet. Fix it
by adding the needed spin lock.
It fixes the following warning trace:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0
...
RIP: 0010:refcount_warn_saturate+0x80/0xe0
...
Call Trace:
<TASK>
mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core]
mlx5_cmd_flush+0x3a/0xf0 [mlx5_core]
enter_error_state+0x44/0x80 [mlx5_core]
mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core]
process_one_work+0x1be/0x390
worker_thread+0x4d/0x3d0
? rescuer_thread+0x350/0x350
kthread+0x141/0x160
? set_kthread_struct+0x40/0x40
ret_from_fork+0x1f/0x30
</TASK>
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel flaw in the mlx5 network driver command cleanup path. A race can cause a command entry reference count to be taken after it reaches zero, producing a use-after-free warning. The public record does not provide CVSS, attacker prerequisites, or confirmed business impact.
Executive priority
Handle through normal kernel patch management unless critical workloads depend on mlx5 networking or logs show matching warnings. There is no cited active exploitation or severity score, but kernel use-after-free conditions deserve timely remediation on exposed production infrastructure.
Technical view
CVE-2022-48858 affects Linux net/mlx5. During command flush, one process may see a command entry as flushable after another released the last refcount but before its index is released. The fix adds required spin locking around this race. The trace involves mlx5_cmd_trigger_completions, mlx5_cmd_flush, and firmware fatal error handling.
Likely exposure
Exposure appears limited to Linux kernels in the listed affected versions or commit ranges where the mlx5_core driver path is present. The source bundle does not prove remote reachability, privilege requirements, or whether exploitation is practical beyond the reported kernel warning condition.
Exploitation context
No active exploitation is supported by the provided sources. The CVE is not marked KEV, and the bundle contains no public exploit report. Treat this as an official kernel correctness and stability issue with incomplete evidence about attacker-controlled impact.
Researcher notes
The source record describes a race in command flush handling, not an exploit primitive. Missing data includes CVSS, CWE, attacker path, and impact scope. Analysis should focus on commit diff review, affected branch mapping, distro backports, and reproducing the warning safely in a controlled test environment.
Mitigation direction
Update to a kernel or distro package containing the referenced stable fixes.
Check vendor or distribution advisories for backported mlx5 fixes.
Prioritize systems using mlx5_core or affected kernel branches.
Schedule reboot or driver reload according to normal kernel patch procedures.
Track the CVE for later CVSS or distro severity updates.
Validation and detection
Inventory Linux kernel versions against the affected version list.
Confirm whether mlx5_core is present in relevant server builds.
Review kernel changelogs for the named net/mlx5 fix.
Check kernel logs for matching refcount use-after-free warnings.
Verify patched kernels include one of the referenced stable commits.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48858 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.