Security readout for executives and security teams
Plain-English summary
This Linux kernel issue is a configuration-specific runtime warning triggered when reading /proc/cpuinfo. The public record does not show data theft, privilege escalation, service compromise, or active exploitation. Business urgency appears low, but affected kernel fleets should still take normal kernel update action through vendor channels.
Executive priority
Handle through normal kernel maintenance unless local systems match the narrow configuration and architecture exposure. There is no cited active exploitation or high-impact behavior in the provided record, so this should not displace urgent exploited-kernel remediation.
Technical view
The bug is in the Linux sh cpuinfo path. With CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS enabled, show_cpuinfo iterated CPUs using NR_CPUS instead of nr_cpu_ids, causing cpu_max_bits_warn() when /proc/cpuinfo is displayed. Stable kernel commits replace the compile-time limit with the runtime CPU limit.
Likely exposure
Exposure appears limited to Linux systems on the affected sh cpuinfo code path with CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS enabled. The CVE record lists affected Linux kernel ranges and stable fixes, but does not provide CPEs, CVSS, or broad product-specific impact detail.
Exploitation context
The source bundle provides no evidence of active exploitation, and KEV is false. The described trigger is reading /proc/cpuinfo under specific kernel configuration conditions, producing a kernel warning. No exploit primitives or attacker impact are established in the provided sources.
Researcher notes
Key evidence is the kernel description and stable commit references. Impact is narrowly described as a runtime warning, and severity metadata is absent. Treat any broader security impact as unproven unless vendor advisories add new information.
Mitigation direction
Apply vendor kernel updates that include the referenced stable Linux fixes.
Check distribution advisories, including Debian LTS, for packaged kernel remediation.
Inventory kernels using affected versions and relevant kernel configuration options.
Avoid treating debug-only warning fixes as emergency patches without local exposure evidence.
Validation and detection
Confirm running kernel version against vendor-fixed package versions or stable commit inclusion.
Check whether CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are enabled.
Review kernel logs for cpu_max_bits_warn() warnings after /proc/cpuinfo reads.
Document whether systems use the affected sh architecture cpuinfo path.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49034 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
11Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 27, 2024, 13:49 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.