LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48997: char: tpm: Protect tpm_pm_suspend with locks

In the Linux kernel, the following vulnerability has been resolved: char: tpm: Protect tpm_pm_suspend with locks Currently tpm transactions are executed unconditionally in tpm_pm_suspend() function, which may lead to races with other tpm accessors in the system. Specifically, the hw_random tpm driver makes use of tpm_get_random(), and this function is called in a loop from a kthread, which means it's not frozen alongside userspace, and so can race with the work done during system suspend: tpm tpm0: tpm_transmit: tpm_recv: error -52 tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 Call Trace: tpm_tis_status.cold+0x19/0x20 tpm_transmit+0x13b/0x390 tpm_transmit_cmd+0x20/0x80 tpm1_pm_suspend+0xa6/0x110 tpm_pm_suspend+0x53/0x80 __pnp_bus_suspend+0x35/0xe0 __device_suspend+0x10f/0x350 Fix this by calling tpm_try_get_ops(), which itself is a wrapper around tpm_chip_start(), but takes the appropriate mutex. [Jason: reworked commit message, added metadata]

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2022-48997 is a Linux kernel TPM driver race during system suspend. TPM operations can run without the expected locking while another kernel thread requests TPM random data, causing TPM communication errors and invalid status readings. The public record describes a reliability and suspend-path issue, not confirmed remote compromise or active exploitation.

Executive priority

Treat this as a kernel maintenance priority, not an emergency, unless affected systems depend heavily on TPM reliability during suspend. No active exploitation is cited, but TPM errors can affect endpoint stability and security-adjacent platform functions.

Technical view

The flaw is in Linux kernel tpm_pm_suspend(). TPM transactions were performed unconditionally, allowing races with other TPM users such as the hw_random TPM driver calling tpm_get_random() from a kthread. The fix changes the suspend path to call tpm_try_get_ops(), which takes the appropriate mutex through tpm_chip_start().

Likely exposure

Exposure is most likely on Linux systems running affected kernel builds with TPM support, especially where suspend/resume is used and the TPM hardware random driver is active. The bundle lists affected Linux kernel versions and stable fix commits, but distribution-specific package status is not provided.

Exploitation context

The provided sources do not show KEV listing, active exploitation, public exploit code, or attacker-controlled exploitation. Evidence is limited to a kernel race observed during suspend, producing TPM transmit errors and invalid TPM status readings.

Researcher notes

Focus review on the TPM suspend path and concurrent TPM consumers. The key evidence is the race between tpm_pm_suspend() and tpm_get_random(), fixed by taking TPM ops locks through tpm_try_get_ops(). Impact beyond observed TPM errors is not quantified in the supplied sources.

Mitigation direction

  • Apply vendor kernel updates that include the listed stable TPM fix commits.
  • Check Linux distribution advisories for CVE-2022-48997 package status.
  • Prioritize laptops, endpoints, and servers that use suspend or TPM-backed functions.
  • Review kernel change logs for tpm_try_get_ops() protection in tpm_pm_suspend().
  • Avoid direct wrangler or deployment assumptions; follow normal kernel maintenance procedures.

Validation and detection

  • Inventory Linux kernel versions and TPM-enabled hosts.
  • Confirm whether the vendor kernel includes one of the referenced stable commits.
  • Check kernel logs for TPM transmit errors or invalid TPM_STS during suspend.
  • Test suspend and resume behavior in staging after patching.
  • Document distribution-specific status because the bundle lacks package-level mappings.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48997 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxe891db1a18bf11e02533ec2386b796cfd8d60666, e891db1a18bf11e02533ec2386b796cfd8d60666, e891db1a18bf11e02533ec2386b796cfd8d60666, e891db1a18bf11e02533ec2386b796cfd8d60666, e891db1a18bf11e02533ec2386b796cfd8d60666unaffected
LinuxLinux5.1, 0, 5.4.226, 5.10.158, 5.15.82, 6.0.12, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.