LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49907: net: mdio: fix undefined behavior in bit shift for __mdiobus_register

In the Linux kernel, the following vulnerability has been resolved: net: mdio: fix undefined behavior in bit shift for __mdiobus_register Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in drivers/net/phy/mdio_bus.c:586:27 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: <TASK> dump_stack_lvl+0x7d/0xa5 dump_stack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c __mdiobus_register+0x49d/0x4e0 fixed_mdio_bus_init+0xd8/0x12d do_one_initcall+0x76/0x430 kernel_init_freeable+0x3b3/0x422 kernel_init+0x24/0x1e0 ret_from_fork+0x1f/0x30 </TASK>

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2022-49907 is a Linux kernel bug in MDIO bus registration. The available record describes undefined behavior from shifting a signed 32-bit value too far, producing a UBSAN warning during kernel initialization. Business impact is unclear because no CVSS, CWE, exploit impact, or vendor mitigation details are provided.

Executive priority

Treat this as a routine kernel maintenance item unless your environment relies heavily on embedded or specialized networking hardware. There is no cited exploitation or severity score, but affected kernels should still receive normal security updates.

Technical view

The issue is in drivers/net/phy/mdio_bus.c within __mdiobus_register. A signed integer shift by 31 bits is undefined, and the fix changes the significant bit handling to unsigned. The source shows a UBSAN shift-out-of-bounds trace during fixed_mdio_bus_init, with stable kernel commit references supplied.

Likely exposure

Exposure appears limited to Linux kernels using the affected MDIO/PHY bus registration path. The source lists Linux as affected across multiple kernel version lines, but the bundled data does not provide complete fixed-version semantics or distribution package mappings.

Exploitation context

No active exploitation is indicated. The bundle says KEV is false and provides no public exploit evidence. The described symptom is a UBSAN warning during initialization, not a documented remote attack path or privilege-escalation technique.

Researcher notes

The record lacks CVSS, CWE, exploitability analysis, and distribution fixed versions. Analysis should focus on reachability of __mdiobus_register through configured MDIO/PHY drivers and confirmation of the unsigned-bit fix in the deployed kernel source or vendor build.

Mitigation direction

  • Apply a vendor or distribution kernel update that includes the referenced stable fixes.
  • Prioritize systems with MDIO/PHY networking drivers or embedded networking hardware.
  • Check Linux kernel and distribution advisories for exact fixed package versions.
  • Avoid inventing workarounds; use vendor guidance if upgrade is delayed.

Validation and detection

  • Inventory Linux kernel versions and map them to distribution security advisories.
  • Check whether affected MDIO/PHY drivers are built or loaded on relevant systems.
  • Confirm the running kernel includes one of the referenced stable fixes.
  • Review boot or kernel logs for UBSAN shift-out-of-bounds messages in mdio_bus.c.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49907 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
9Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux4fd5f812c23c7deee6425f4a318e85c317cd1d6c, 4fd5f812c23c7deee6425f4a318e85c317cd1d6c, 4fd5f812c23c7deee6425f4a318e85c317cd1d6c, 4fd5f812c23c7deee6425f4a318e85c317cd1d6c, 4fd5f812c23c7deee6425f4a318e85c317cd1d6c, 4fd5f812c23c7deee6425f4a318e85c317cd1d6c, 4fd5f812c23c7deee6425f4a318e85c317cd1d6c, 4fd5f812c23c7deee6425f4a318e85c317cd1d6cunaffected
LinuxLinux2.6.28, 0, 4.9.333, 4.14.299, 4.19.265, 5.4.224, 5.10.154, 5.15.78, 6.0.8, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.