CVE-2022-48999: ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference
Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match:
fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961
fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753
inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874
Separate nexthop objects are mutually exclusive with the legacy
multipath spec. Fix fib_nh_match to return if the config for the
to be deleted route contains a multipath spec while the fib_info
is using a nexthop object.
Security readout for executives and security teams
Plain-English summary
CVE-2022-48999 is a Linux kernel IPv4 routing bug. A specific route deletion path can trigger a slab out-of-bounds access when nexthop objects and legacy multipath route data are mixed. The public record confirms a kernel fix, but does not provide CVSS, a broad impact statement, or evidence of exploitation.
Executive priority
Treat this as a targeted kernel maintenance issue unless your environment heavily uses Linux-based routing. There is no cited exploitation or severity score, but kernel memory safety faults deserve timely patching through normal vendor kernel update channels.
Technical view
The bug is in IPv4 FIB route deletion, specifically fib_nh_match during fib_table_delete via inet_rtm_delroute. The fix returns early when the route delete configuration contains a multipath spec while the stored fib_info uses a nexthop object, because those models are mutually exclusive.
Likely exposure
Exposure appears limited to Linux systems running affected kernel lines with IPv4 routing configurations involving nexthop objects and multipath routes. The source lists Linux 5.3 through fixed stable branch points, but does not define affected distributions, appliances, or managed service products.
Exploitation context
The CVE record does not report active exploitation, and KEV status is false. The source describes a slab out-of-bounds access found during route deletion, but does not state attacker prerequisites, remote reachability, reliability, or whether denial of service is the only practical impact.
Researcher notes
The available evidence is narrow: a kernel commit message, affected version metadata, and no CVSS or CWE. Avoid assuming remote exploitability. Focus validation on branch-specific backports and route-management paths involving nexthop objects versus legacy multipath specifications.
Mitigation direction
Upgrade to a Linux kernel containing the referenced stable fix for your branch.
Check your Linux distribution advisory for the packaged kernel version carrying this fix.
Prioritize systems where administrators or automation modify IPv4 nexthop and multipath routes.
Restrict route-management privileges to trusted administrators and controlled automation.
Monitor vendor guidance for additional mitigations or backport details.
Validation and detection
Inventory Linux kernel versions across servers, appliances, containers hosts, and network nodes.
Compare installed kernel packages against vendor advisories for CVE-2022-48999.
Review routing automation for IPv4 nexthop object and multipath route usage.
Confirm patched systems are running the updated kernel after reboot or live patch application.
Check vulnerability scanner results against actual running kernels, not only installed packages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48999 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.