LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48999: ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference

In the Linux kernel, the following vulnerability has been resolved: ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match: fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961 fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753 inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874 Separate nexthop objects are mutually exclusive with the legacy multipath spec. Fix fib_nh_match to return if the config for the to be deleted route contains a multipath spec while the fib_info is using a nexthop object.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-48999 is a Linux kernel IPv4 routing bug. A specific route deletion path can trigger a slab out-of-bounds access when nexthop objects and legacy multipath route data are mixed. The public record confirms a kernel fix, but does not provide CVSS, a broad impact statement, or evidence of exploitation.

Executive priority

Treat this as a targeted kernel maintenance issue unless your environment heavily uses Linux-based routing. There is no cited exploitation or severity score, but kernel memory safety faults deserve timely patching through normal vendor kernel update channels.

Technical view

The bug is in IPv4 FIB route deletion, specifically fib_nh_match during fib_table_delete via inet_rtm_delroute. The fix returns early when the route delete configuration contains a multipath spec while the stored fib_info uses a nexthop object, because those models are mutually exclusive.

Likely exposure

Exposure appears limited to Linux systems running affected kernel lines with IPv4 routing configurations involving nexthop objects and multipath routes. The source lists Linux 5.3 through fixed stable branch points, but does not define affected distributions, appliances, or managed service products.

Exploitation context

The CVE record does not report active exploitation, and KEV status is false. The source describes a slab out-of-bounds access found during route deletion, but does not state attacker prerequisites, remote reachability, reliability, or whether denial of service is the only practical impact.

Researcher notes

The available evidence is narrow: a kernel commit message, affected version metadata, and no CVSS or CWE. Avoid assuming remote exploitability. Focus validation on branch-specific backports and route-management paths involving nexthop objects versus legacy multipath specifications.

Mitigation direction

  • Upgrade to a Linux kernel containing the referenced stable fix for your branch.
  • Check your Linux distribution advisory for the packaged kernel version carrying this fix.
  • Prioritize systems where administrators or automation modify IPv4 nexthop and multipath routes.
  • Restrict route-management privileges to trusted administrators and controlled automation.
  • Monitor vendor guidance for additional mitigations or backport details.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, containers hosts, and network nodes.
  • Compare installed kernel packages against vendor advisories for CVE-2022-48999.
  • Review routing automation for IPv4 nexthop object and multipath route usage.
  • Confirm patched systems are running the updated kernel after reboot or live patch application.
  • Check vulnerability scanner results against actual running kernels, not only installed packages.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48999 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux493ced1ac47c48bb86d9d4e8e87df8592be85a0e, 493ced1ac47c48bb86d9d4e8e87df8592be85a0e, 493ced1ac47c48bb86d9d4e8e87df8592be85a0e, 493ced1ac47c48bb86d9d4e8e87df8592be85a0e, 493ced1ac47c48bb86d9d4e8e87df8592be85a0eunaffected
LinuxLinux5.3, 0, 5.4.226, 5.10.158, 5.15.82, 6.0.12, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.