CVE-2022-48969: xen-netfront: Fix NULL sring after live migration
In the Linux kernel, the following vulnerability has been resolved:
xen-netfront: Fix NULL sring after live migration
A NAPI is setup for each network sring to poll data to kernel
The sring with source host is destroyed before live migration and
new sring with target host is setup after live migration.
The NAPI for the old sring is not deleted until setup new sring
with target host after migration. With busy_poll/busy_read enabled,
the NAPI can be polled before got deleted when resume VM.
BUG: unable to handle kernel NULL pointer dereference at
0000000000000008
IP: xennet_poll+0xae/0xd20
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
Call Trace:
finish_task_switch+0x71/0x230
timerqueue_del+0x1d/0x40
hrtimer_try_to_cancel+0xb5/0x110
xennet_alloc_rx_buffers+0x2a0/0x2a0
napi_busy_loop+0xdb/0x270
sock_poll+0x87/0x90
do_sys_poll+0x26f/0x580
tracing_map_insert+0x1d4/0x2f0
event_hist_trigger+0x14a/0x260
finish_task_switch+0x71/0x230
__schedule+0x256/0x890
recalc_sigpending+0x1b/0x50
xen_sched_clock+0x15/0x20
__rb_reserve_next+0x12d/0x140
ring_buffer_lock_reserve+0x123/0x3d0
event_triggers_call+0x87/0xb0
trace_event_buffer_commit+0x1c4/0x210
xen_clocksource_get_cycles+0x15/0x20
ktime_get_ts64+0x51/0xf0
SyS_ppoll+0x160/0x1a0
SyS_ppoll+0x160/0x1a0
do_syscall_64+0x73/0x130
entry_SYSCALL_64_after_hwframe+0x41/0xa6
...
RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900
CR2: 0000000000000008
---[ end trace f8601785b354351c ]---
xen frontend should remove the NAPIs for the old srings before live
migration as the bond srings are destroyed
There is a tiny window between the srings are set to NULL and
the NAPIs are disabled, It is safe as the NAPI threads are still
frozen at that time
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel Xen networking bug that can crash a virtual machine during or after live migration. It affects the xen-netfront driver when old network ring state is removed but NAPI polling can still reference it. The source does not provide CVSS, ransomware relevance, or active exploitation evidence.
Executive priority
Treat this as an availability risk for Xen-hosted Linux workloads. Prioritize patching systems where live migration is operationally important, especially production guests with uptime requirements. Urgency is lower than internet-exposed RCE unless local evidence shows crashes.
Technical view
CVE-2022-48969 is a NULL pointer dereference in Linux xen-netfront. During Xen live migration, old network shared rings are destroyed before new target-host rings are fully set up. With busy_poll or busy_read enabled, NAPI polling may run against a NULL sring and fault in xennet_poll.
Likely exposure
Exposure appears limited to Linux systems running as Xen guests with xen-netfront networking, especially environments using live migration and busy_poll or busy_read. The CVE data lists Linux kernel versions and stable-branch fixes, but distro package status must be verified separately.
Exploitation context
The provided sources do not show public exploitation or CISA KEV listing. The described failure is a kernel crash condition triggered around VM resume after live migration, not a documented remote code execution path.
Researcher notes
The source attributes the bug to stale NAPI structures polling after old srings are destroyed during migration. A small window remains after srings become NULL, but the source states NAPI threads are frozen then. No CWE, CVSS, or exploitability assessment is provided.
Mitigation direction
Update affected Linux kernels to versions containing the referenced xen-netfront fix.
Check Linux distribution advisories for backported fixes in vendor kernel packages.
Review whether Xen live migration is used for impacted guest workloads.
Disable or avoid busy_poll and busy_read where vendor guidance supports it.
Prioritize critical Xen guest workloads that depend on live migration.
Validation and detection
Inventory Linux guests using Xen xen-netfront network devices.
Map each guest kernel to distro advisories or referenced stable commits.
Check whether live migration is enabled for those guests.
Review kernel logs for xennet_poll NULL dereference crashes after migration.
Confirm patched guests survive controlled live migration regression testing.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48969 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.