CVE-2022-48997: char: tpm: Protect tpm_pm_suspend with locks
In the Linux kernel, the following vulnerability has been resolved:
char: tpm: Protect tpm_pm_suspend with locks
Currently tpm transactions are executed unconditionally in
tpm_pm_suspend() function, which may lead to races with other tpm
accessors in the system.
Specifically, the hw_random tpm driver makes use of tpm_get_random(),
and this function is called in a loop from a kthread, which means it's
not frozen alongside userspace, and so can race with the work done
during system suspend:
tpm tpm0: tpm_transmit: tpm_recv: error -52
tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics
CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
Call Trace:
tpm_tis_status.cold+0x19/0x20
tpm_transmit+0x13b/0x390
tpm_transmit_cmd+0x20/0x80
tpm1_pm_suspend+0xa6/0x110
tpm_pm_suspend+0x53/0x80
__pnp_bus_suspend+0x35/0xe0
__device_suspend+0x10f/0x350
Fix this by calling tpm_try_get_ops(), which itself is a wrapper around
tpm_chip_start(), but takes the appropriate mutex.
[Jason: reworked commit message, added metadata]
Security readout for executives and security teams
Plain-English summary
CVE-2022-48997 is a Linux kernel TPM driver race during system suspend. TPM operations can run without the expected locking while another kernel thread requests TPM random data, causing TPM communication errors and invalid status readings. The public record describes a reliability and suspend-path issue, not confirmed remote compromise or active exploitation.
Executive priority
Treat this as a kernel maintenance priority, not an emergency, unless affected systems depend heavily on TPM reliability during suspend. No active exploitation is cited, but TPM errors can affect endpoint stability and security-adjacent platform functions.
Technical view
The flaw is in Linux kernel tpm_pm_suspend(). TPM transactions were performed unconditionally, allowing races with other TPM users such as the hw_random TPM driver calling tpm_get_random() from a kthread. The fix changes the suspend path to call tpm_try_get_ops(), which takes the appropriate mutex through tpm_chip_start().
Likely exposure
Exposure is most likely on Linux systems running affected kernel builds with TPM support, especially where suspend/resume is used and the TPM hardware random driver is active. The bundle lists affected Linux kernel versions and stable fix commits, but distribution-specific package status is not provided.
Exploitation context
The provided sources do not show KEV listing, active exploitation, public exploit code, or attacker-controlled exploitation. Evidence is limited to a kernel race observed during suspend, producing TPM transmit errors and invalid TPM status readings.
Researcher notes
Focus review on the TPM suspend path and concurrent TPM consumers. The key evidence is the race between tpm_pm_suspend() and tpm_get_random(), fixed by taking TPM ops locks through tpm_try_get_ops(). Impact beyond observed TPM errors is not quantified in the supplied sources.
Mitigation direction
Apply vendor kernel updates that include the listed stable TPM fix commits.
Check Linux distribution advisories for CVE-2022-48997 package status.
Prioritize laptops, endpoints, and servers that use suspend or TPM-backed functions.
Review kernel change logs for tpm_try_get_ops() protection in tpm_pm_suspend().
Avoid direct wrangler or deployment assumptions; follow normal kernel maintenance procedures.
Validation and detection
Inventory Linux kernel versions and TPM-enabled hosts.
Confirm whether the vendor kernel includes one of the referenced stable commits.
Check kernel logs for TPM transmit errors or invalid TPM_STS during suspend.
Test suspend and resume behavior in staging after patching.
Document distribution-specific status because the bundle lacks package-level mappings.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48997 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.