LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49537: scsi: lpfc: Fix call trace observed during I/O with CMF enabled

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix call trace observed during I/O with CMF enabled The following was seen with CMF enabled: BUG: using smp_processor_id() in preemptible code: systemd-udevd/31711 kernel: caller is lpfc_update_cmf_cmd+0x214/0x420 [lpfc] kernel: CPU: 12 PID: 31711 Comm: systemd-udevd kernel: Call Trace: kernel: <TASK> kernel: dump_stack_lvl+0x44/0x57 kernel: check_preemption_disabled+0xbf/0xe0 kernel: lpfc_update_cmf_cmd+0x214/0x420 [lpfc] kernel: lpfc_nvme_fcp_io_submit+0x23b4/0x4df0 [lpfc] this_cpu_ptr() calls smp_processor_id() in a preemptible context. Fix by using per_cpu_ptr() with raw_smp_processor_id() instead.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel storage-driver reliability issue. Systems using the lpfc SCSI/Fibre Channel driver with CMF enabled could hit a kernel BUG call trace during I/O. The sources do not show remote exploitation, privilege escalation, data theft, or a confirmed crash outcome.

Executive priority

Treat this as targeted maintenance for storage infrastructure, not an emergency internet-wide exposure. Prioritize hosts where Fibre Channel storage reliability is business-critical, especially production virtualization, database, or SAN-connected workloads.

Technical view

The lpfc driver called this_cpu_ptr(), which invokes smp_processor_id(), from preemptible context during NVMe/FCP I/O with CMF enabled. The resolved fix uses per_cpu_ptr() with raw_smp_processor_id() instead. The source bundle lists affected Linux 5.15-era through 5.18.3/5.17.14 ranges and stable patch commits.

Likely exposure

Exposure appears limited to Linux systems using the lpfc storage driver and CMF during I/O. General Linux servers not using this driver or feature are less likely to be affected. Version status should be confirmed against distribution kernel backports.

Exploitation context

CISA KEV status is false in the bundle, and no cited source claims active exploitation. The available evidence describes an observed kernel call trace during I/O, not an attacker-controlled exploit path.

Researcher notes

The record lacks CVSS, CWE, and detailed impact classification. Analysis should avoid assuming memory corruption or privilege impact. Key evidence is the kernel BUG trace and the upstream lpfc fix replacing per-CPU access in preemptible context.

Mitigation direction

  • Apply a vendor kernel update containing the referenced lpfc stable fix.
  • Confirm distribution backports rather than relying only on upstream version numbers.
  • If patching is delayed, review vendor guidance for lpfc or CMF-specific workarounds.
  • Prioritize storage hosts using lpfc with CMF enabled.

Validation and detection

  • Inventory Linux hosts running affected kernel branches.
  • Identify systems loading or depending on the lpfc driver.
  • Check whether CMF is enabled on lpfc storage paths.
  • Review kernel logs for the cited lpfc call trace pattern.
  • Verify installed kernels include one referenced stable commit or vendor equivalent.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49537 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
5Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux02243836ad6f384284f10302e6b820b893960d1c, 02243836ad6f384284f10302e6b820b893960d1c, 02243836ad6f384284f10302e6b820b893960d1c, 02243836ad6f384284f10302e6b820b893960d1cunaffected
LinuxLinux5.15, 0, 5.15.46, 5.17.14, 5.18.3, 5.19affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.