CVE-2022-49907: net: mdio: fix undefined behavior in bit shift for __mdiobus_register
In the Linux kernel, the following vulnerability has been resolved:
net: mdio: fix undefined behavior in bit shift for __mdiobus_register
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in drivers/net/phy/mdio_bus.c:586:27
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
<TASK>
dump_stack_lvl+0x7d/0xa5
dump_stack+0x15/0x1b
ubsan_epilogue+0xe/0x4e
__ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
__mdiobus_register+0x49d/0x4e0
fixed_mdio_bus_init+0xd8/0x12d
do_one_initcall+0x76/0x430
kernel_init_freeable+0x3b3/0x422
kernel_init+0x24/0x1e0
ret_from_fork+0x1f/0x30
</TASK>
Security readout for executives and security teams
Plain-English summary
CVE-2022-49907 is a Linux kernel bug in MDIO bus registration. The available record describes undefined behavior from shifting a signed 32-bit value too far, producing a UBSAN warning during kernel initialization. Business impact is unclear because no CVSS, CWE, exploit impact, or vendor mitigation details are provided.
Executive priority
Treat this as a routine kernel maintenance item unless your environment relies heavily on embedded or specialized networking hardware. There is no cited exploitation or severity score, but affected kernels should still receive normal security updates.
Technical view
The issue is in drivers/net/phy/mdio_bus.c within __mdiobus_register. A signed integer shift by 31 bits is undefined, and the fix changes the significant bit handling to unsigned. The source shows a UBSAN shift-out-of-bounds trace during fixed_mdio_bus_init, with stable kernel commit references supplied.
Likely exposure
Exposure appears limited to Linux kernels using the affected MDIO/PHY bus registration path. The source lists Linux as affected across multiple kernel version lines, but the bundled data does not provide complete fixed-version semantics or distribution package mappings.
Exploitation context
No active exploitation is indicated. The bundle says KEV is false and provides no public exploit evidence. The described symptom is a UBSAN warning during initialization, not a documented remote attack path or privilege-escalation technique.
Researcher notes
The record lacks CVSS, CWE, exploitability analysis, and distribution fixed versions. Analysis should focus on reachability of __mdiobus_register through configured MDIO/PHY drivers and confirmation of the unsigned-bit fix in the deployed kernel source or vendor build.
Mitigation direction
Apply a vendor or distribution kernel update that includes the referenced stable fixes.
Prioritize systems with MDIO/PHY networking drivers or embedded networking hardware.
Check Linux kernel and distribution advisories for exact fixed package versions.
Avoid inventing workarounds; use vendor guidance if upgrade is delayed.
Validation and detection
Inventory Linux kernel versions and map them to distribution security advisories.
Check whether affected MDIO/PHY drivers are built or loaded on relevant systems.
Confirm the running kernel includes one of the referenced stable fixes.
Review boot or kernel logs for UBSAN shift-out-of-bounds messages in mdio_bus.c.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49907 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
9Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 1, 2025, 14:10 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.