Security readout for executives and security teams
Plain-English summary
This is a Linux kernel BPF bug that can crash the kernel when a BPF map value contains both a spin lock and a timer. The copy routine failed to skip both special objects, allowing a map update to overwrite timer state. The sources provide no CVSS, KEV exploitation, or impact beyond the demonstrated crash.
Executive priority
Prioritize as a kernel stability risk when affected Linux versions are deployed, especially on shared or security-sensitive systems using BPF. Because public severity and exploitation evidence are missing, handle through normal kernel patch governance unless local BPF exposure is broad or untrusted.
Technical view
The issue is in Linux BPF map value copying. When both bpf_spin_lock and bpf_timer are present, copy_map_value did not set both offsets needed to avoid copying over internal objects. A bpf_map_update_elem operation could overwrite timer-related state and trigger a KASAN-reported crash in kernel locking/timer paths.
Likely exposure
Exposure appears limited to Linux kernels in the affected ranges listed by the CVE source and systems where relevant BPF map/program operations are possible. The bundle lists affected Linux versions including 5.15, 5.15.26, 5.16.12, and 5.17, but does not describe distribution package status.
Exploitation context
The source bundle demonstrates a crash using a BPF test case named timer_crash. It does not cite active exploitation, KEV listing, required attacker privileges, remote reachability, or a working exploit. Treat exploitation context as incomplete and avoid assuming internet-facing exploitability.
Researcher notes
The core condition is a BPF map value containing both bpf_spin_lock and bpf_timer. The failure path is copy_map_value not skirting both internal objects, enabling overwrite during map update. Sources identify stable commits but do not provide CVSS, CWE, privilege requirements, or distribution-specific fixed versions.
Mitigation direction
Check Linux vendor advisories for fixed kernel packages covering CVE-2022-48940.
Prioritize kernel updates where BPF is enabled or used by workloads.
Verify whether deployed kernels include the referenced stable fixes.
Review BPF access controls while awaiting vendor-specific guidance.
Validation and detection
Inventory Linux kernel versions across hosts and containers with host-kernel exposure.
Compare running kernels against vendor advisories for CVE-2022-48940.
Confirm whether BPF is enabled and who can load BPF programs.
Look for kernel crash logs referencing BPF timers, spin locks, or KASAN reports.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48940 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.