CVE-2022-48911: netfilter: nf_queue: fix possible use-after-free
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_queue: fix possible use-after-free
Eric Dumazet says:
The sock_hold() side seems suspect, because there is no guarantee
that sk_refcnt is not already 0.
On failure, we cannot queue the packet and need to indicate an
error. The packet will be dropped by the caller.
v2: split skb prefetch hunk into separate change
Security readout for executives and security teams
Plain-English summary
CVE-2022-48911 is a Linux kernel netfilter bug involving a possible use-after-free when queuing packets fails. Kernel memory-safety bugs can affect system stability or security, but the public record provided has no CVSS score, no stated impact, and no evidence of active exploitation.
Executive priority
Schedule remediation through the normal kernel patch cycle, with faster handling for systems performing firewalling, routing, or packet inspection. Escalate if your Linux vendor assigns high severity or reports exploit activity.
Technical view
The fix changes nf_queue handling because sock_hold() could be unsafe if sk_refcnt is already zero. On failure, the kernel should not queue the packet and should return an error so the caller drops it. The issue is recorded as resolved in Linux stable commits across multiple branches.
Likely exposure
Exposure is limited to Linux systems running affected kernel versions or vendor builds containing the vulnerable netfilter nf_queue code. Systems using packet filtering or userspace packet queueing are the most relevant to review, but the sources do not define required configuration or attack preconditions.
Exploitation context
The supplied sources do not describe exploitability, attacker position, privileges required, or real-world exploitation. CISA KEV status is false in the bundle. Treat this as a kernel memory-safety issue requiring patch validation, not as confirmed actively exploited activity.
Researcher notes
Public data is sparse: no CVSS, CWE, exploit notes, or detailed affected-version semantics are provided. The strongest evidence is the kernel stable fix set and CVE description. Avoid assuming impact beyond a possible use-after-free in nf_queue.
Mitigation direction
Update affected Linux kernels using your distribution or vendor security channels.
Confirm the vendor kernel includes the referenced upstream stable fixes.
Prioritize internet-facing, firewall, container host, and packet-processing Linux systems.
If no vendor advisory exists, monitor Linux stable and distribution guidance.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and container hosts.
Compare vendor kernel builds against CVE-2022-48911 advisories or fixed stable commits.
Review whether netfilter/NFQUEUE functionality is used on exposed systems.
Verify patched systems boot into the updated kernel, not only install it.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48911 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.