LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48911: netfilter: nf_queue: fix possible use-after-free

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: fix possible use-after-free Eric Dumazet says: The sock_hold() side seems suspect, because there is no guarantee that sk_refcnt is not already 0. On failure, we cannot queue the packet and need to indicate an error. The packet will be dropped by the caller. v2: split skb prefetch hunk into separate change

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-48911 is a Linux kernel netfilter bug involving a possible use-after-free when queuing packets fails. Kernel memory-safety bugs can affect system stability or security, but the public record provided has no CVSS score, no stated impact, and no evidence of active exploitation.

Executive priority

Schedule remediation through the normal kernel patch cycle, with faster handling for systems performing firewalling, routing, or packet inspection. Escalate if your Linux vendor assigns high severity or reports exploit activity.

Technical view

The fix changes nf_queue handling because sock_hold() could be unsafe if sk_refcnt is already zero. On failure, the kernel should not queue the packet and should return an error so the caller drops it. The issue is recorded as resolved in Linux stable commits across multiple branches.

Likely exposure

Exposure is limited to Linux systems running affected kernel versions or vendor builds containing the vulnerable netfilter nf_queue code. Systems using packet filtering or userspace packet queueing are the most relevant to review, but the sources do not define required configuration or attack preconditions.

Exploitation context

The supplied sources do not describe exploitability, attacker position, privileges required, or real-world exploitation. CISA KEV status is false in the bundle. Treat this as a kernel memory-safety issue requiring patch validation, not as confirmed actively exploited activity.

Researcher notes

Public data is sparse: no CVSS, CWE, exploit notes, or detailed affected-version semantics are provided. The strongest evidence is the kernel stable fix set and CVE description. Avoid assuming impact beyond a possible use-after-free in nf_queue.

Mitigation direction

  • Update affected Linux kernels using your distribution or vendor security channels.
  • Confirm the vendor kernel includes the referenced upstream stable fixes.
  • Prioritize internet-facing, firewall, container host, and packet-processing Linux systems.
  • If no vendor advisory exists, monitor Linux stable and distribution guidance.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and container hosts.
  • Compare vendor kernel builds against CVE-2022-48911 advisories or fixed stable commits.
  • Review whether netfilter/NFQUEUE functionality is used on exposed systems.
  • Verify patched systems boot into the updated kernel, not only install it.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48911 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux271b72c7fa82c2c7a795bc16896149933110672d, 271b72c7fa82c2c7a795bc16896149933110672d, 271b72c7fa82c2c7a795bc16896149933110672d, 271b72c7fa82c2c7a795bc16896149933110672d, 271b72c7fa82c2c7a795bc16896149933110672d, 271b72c7fa82c2c7a795bc16896149933110672d, 271b72c7fa82c2c7a795bc16896149933110672d, 271b72c7fa82c2c7a795bc16896149933110672dunaffected
LinuxLinux2.6.29, 0, 4.9.305, 4.14.270, 4.19.233, 5.4.183, 5.10.104, 5.15.27, 5.16.13, 5.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.