{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T19:18:18.957","vulnerabilities":[{"cve":{"id":"CVE-2022-49703","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-26T07:01:45.947","lastModified":"2025-10-01T20:17:06.120","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Store vhost pointer during subcrq allocation\n\nCurrently the back pointer from a queue to the vhost adapter isn't set\nuntil after subcrq interrupt registration. The value is available when a\nqueue is first allocated and can/should be also set for primary and async\nqueues as well as subcrqs.\n\nThis fixes a crash observed during kexec/kdump on Power 9 with legacy XICS\ninterrupt controller where a pending subcrq interrupt from the previous\nkernel can be replayed immediately upon IRQ registration resulting in\ndereference of a garbage backpointer in ibmvfc_interrupt_scsi().\n\nKernel attempted to read user page (58) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on read at 0x00000058\nFaulting instruction address: 0xc008000003216a08\nOops: Kernel access of bad area, sig: 11 [#1]\n...\nNIP [c008000003216a08] ibmvfc_interrupt_scsi+0x40/0xb0 [ibmvfc]\nLR [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270\nCall Trace:\n[c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable)\n[c000000047fa3df0] [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270\n[c000000047fa3ea0] [c000000008207d18] handle_irq_event+0x98/0x188\n[c000000047fa3ef0] [c00000000820f564] handle_fasteoi_irq+0xc4/0x310\n[c000000047fa3f40] [c000000008205c60] generic_handle_irq+0x50/0x80\n[c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0\n[c000000047fa3f90] [c000000008016d7c] __do_IRQ+0x9c/0x130\n[c000000014622f60] [0000000020000000] 0x20000000\n[c000000014622ff0] [c000000008016e50] do_IRQ+0x40/0xa0\n[c000000014623020] [c000000008017044] replay_soft_interrupts+0x194/0x2f0\n[c000000014623210] [c0000000080172a8] arch_local_irq_restore+0x108/0x170\n[c000000014623240] [c000000008eb1008] _raw_spin_unlock_irqrestore+0x58/0xb0\n[c000000014623270] [c00000000820b12c] __setup_irq+0x49c/0x9f0\n[c000000014623310] [c00000000820b7c0] request_threaded_irq+0x140/0x230\n[c000000014623380] [c008000003212a50] ibmvfc_register_scsi_channel+0x1e8/0x2f0 [ibmvfc]\n[c000000014623450] [c008000003213d1c] ibmvfc_init_sub_crqs+0xc4/0x1f0 [ibmvfc]\n[c0000000146234d0] [c0080000032145a8] ibmvfc_reset_crq+0x150/0x210 [ibmvfc]\n[c000000014623550] [c0080000032147c8] ibmvfc_init_crq+0x160/0x280 [ibmvfc]\n[c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc]"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: ibmvfc: almacenar puntero de vhost durante la asignación de subcrq Actualmente, el puntero hacia atrás de una cola al adaptador de vhost no se establece hasta después del registro de interrupción de subcrq. El valor está disponible cuando se asigna una cola por primera vez y también se puede/debe establecer para colas primarias y asincrónicas, así como para subcrq. Esto corrige un fallo observado durante kexec/kdump en Power 9 con el controlador de interrupción XICS heredado, donde una interrupción de subcrq pendiente del kernel anterior se puede reproducir inmediatamente después del registro de IRQ, lo que resulta en la desreferencia de un puntero hacia atrás basura en ibmvfc_interrupt_scsi(). El kernel intentó leer la página del usuario (58) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000058 Faulting instruction address: 0xc008000003216a08 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000003216a08] ibmvfc_interrupt_scsi+0x40/0xb0 [ibmvfc] LR [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270 Call Trace: [c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable) [c000000047fa3df0] [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270 [c000000047fa3ea0] [c000000008207d18] handle_irq_event+0x98/0x188 [c000000047fa3ef0] [c00000000820f564] handle_fasteoi_irq+0xc4/0x310 [c000000047fa3f40] [c000000008205c60] generic_handle_irq+0x50/0x80 [c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0 [c000000047fa3f90] [c000000008016d7c] __do_IRQ+0x9c/0x130 [c000000014622f60] [0000000020000000] 0x20000000 [c000000014622ff0] [c000000008016e50] do_IRQ+0x40/0xa0 [c000000014623020] [c000000008017044] replay_soft_interrupts+0x194/0x2f0 [c000000014623210] [c0000000080172a8] arch_local_irq_restore+0x108/0x170 [c000000014623240] [c000000008eb1008] _raw_spin_unlock_irqrestore+0x58/0xb0 [c000000014623270] [c00000000820b12c] __setup_irq+0x49c/0x9f0 [c000000014623310] [c00000000820b7c0] request_threaded_irq+0x140/0x230 [c000000014623380] [c008000003212a50] ibmvfc_register_scsi_channel+0x1e8/0x2f0 [ibmvfc] [c000000014623450] [c008000003213d1c] ibmvfc_init_sub_crqs+0xc4/0x1f0 [ibmvfc] [c0000000146234d0] [c0080000032145a8] ibmvfc_reset_crq+0x150/0x210 [ibmvfc] [c000000014623550] [c0080000032147c8] ibmvfc_init_crq+0x160/0x280 [ibmvfc] [c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc] "}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"5.15.51","matchCriteriaId":"4F253781-33CA-48EF-8F4F-312C5101785F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"5.18.8","matchCriteriaId":"0172D3FA-DDEB-482A-A270-4A1495A8798C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*","matchCriteriaId":"A8C30C2D-F82D-4D37-AB48-D76ABFBD5377"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*","matchCriteriaId":"BF8547FC-C849-4F1B-804B-A93AE2F04A92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F3068028-F453-4A1C-B80F-3F5609ACEF60"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6d38e3b614ded59da8b95377a98df969a5a5627a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8540f66196ca35b7b5e902932571c18b9fde0cd1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/aeaadcde1a60138bceb65de3cdaeec78170b4459","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}