LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48969: xen-netfront: Fix NULL sring after live migration

In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Fix NULL sring after live migration A NAPI is setup for each network sring to poll data to kernel The sring with source host is destroyed before live migration and new sring with target host is setup after live migration. The NAPI for the old sring is not deleted until setup new sring with target host after migration. With busy_poll/busy_read enabled, the NAPI can be polled before got deleted when resume VM. BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xennet_poll+0xae/0xd20 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI Call Trace: finish_task_switch+0x71/0x230 timerqueue_del+0x1d/0x40 hrtimer_try_to_cancel+0xb5/0x110 xennet_alloc_rx_buffers+0x2a0/0x2a0 napi_busy_loop+0xdb/0x270 sock_poll+0x87/0x90 do_sys_poll+0x26f/0x580 tracing_map_insert+0x1d4/0x2f0 event_hist_trigger+0x14a/0x260 finish_task_switch+0x71/0x230 __schedule+0x256/0x890 recalc_sigpending+0x1b/0x50 xen_sched_clock+0x15/0x20 __rb_reserve_next+0x12d/0x140 ring_buffer_lock_reserve+0x123/0x3d0 event_triggers_call+0x87/0xb0 trace_event_buffer_commit+0x1c4/0x210 xen_clocksource_get_cycles+0x15/0x20 ktime_get_ts64+0x51/0xf0 SyS_ppoll+0x160/0x1a0 SyS_ppoll+0x160/0x1a0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x41/0xa6 ... RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900 CR2: 0000000000000008 ---[ end trace f8601785b354351c ]--- xen frontend should remove the NAPIs for the old srings before live migration as the bond srings are destroyed There is a tiny window between the srings are set to NULL and the NAPIs are disabled, It is safe as the NAPI threads are still frozen at that time

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel Xen networking bug that can crash a virtual machine during or after live migration. It affects the xen-netfront driver when old network ring state is removed but NAPI polling can still reference it. The source does not provide CVSS, ransomware relevance, or active exploitation evidence.

Executive priority

Treat this as an availability risk for Xen-hosted Linux workloads. Prioritize patching systems where live migration is operationally important, especially production guests with uptime requirements. Urgency is lower than internet-exposed RCE unless local evidence shows crashes.

Technical view

CVE-2022-48969 is a NULL pointer dereference in Linux xen-netfront. During Xen live migration, old network shared rings are destroyed before new target-host rings are fully set up. With busy_poll or busy_read enabled, NAPI polling may run against a NULL sring and fault in xennet_poll.

Likely exposure

Exposure appears limited to Linux systems running as Xen guests with xen-netfront networking, especially environments using live migration and busy_poll or busy_read. The CVE data lists Linux kernel versions and stable-branch fixes, but distro package status must be verified separately.

Exploitation context

The provided sources do not show public exploitation or CISA KEV listing. The described failure is a kernel crash condition triggered around VM resume after live migration, not a documented remote code execution path.

Researcher notes

The source attributes the bug to stale NAPI structures polling after old srings are destroyed during migration. A small window remains after srings become NULL, but the source states NAPI threads are frozen then. No CWE, CVSS, or exploitability assessment is provided.

Mitigation direction

  • Update affected Linux kernels to versions containing the referenced xen-netfront fix.
  • Check Linux distribution advisories for backported fixes in vendor kernel packages.
  • Review whether Xen live migration is used for impacted guest workloads.
  • Disable or avoid busy_poll and busy_read where vendor guidance supports it.
  • Prioritize critical Xen guest workloads that depend on live migration.

Validation and detection

  • Inventory Linux guests using Xen xen-netfront network devices.
  • Map each guest kernel to distro advisories or referenced stable commits.
  • Check whether live migration is enabled for those guests.
  • Review kernel logs for xennet_poll NULL dereference crashes after migration.
  • Confirm patched guests survive controlled live migration regression testing.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48969 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux4ec2411980d0fd2995e8dea8a06fe57aa47523cb, 4ec2411980d0fd2995e8dea8a06fe57aa47523cb, 4ec2411980d0fd2995e8dea8a06fe57aa47523cb, 4ec2411980d0fd2995e8dea8a06fe57aa47523cb, 4ec2411980d0fd2995e8dea8a06fe57aa47523cb, 4ec2411980d0fd2995e8dea8a06fe57aa47523cbunaffected
LinuxLinux2.6.24, 0, 4.19.269, 5.4.227, 5.10.159, 5.15.83, 6.0.13, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.