vulnerability

Rocky Linux: CVE-2022-48830: kernel (RLSA-2025-20518)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:L/AC:M/Au:S/C:N/I:N/A:C)	Nov 21, 2025	Feb 5, 2026	Feb 5, 2026

Severity

CVSS

(AV:L/AC:M/Au:S/C:N/I:N/A:C)

Published

Nov 21, 2025

Added

Feb 5, 2026

Modified

Feb 5, 2026

Description

In the Linux kernel, the following vulnerability has been resolved:

can: isotp: fix potential CAN frame reception race in isotp_rcv()

When receiving a CAN frame the current code logic does not consider
concurrently receiving processes which do not show up in real world
usage.

Ziyang Xuan writes:

The following syz problem is one of the scenarios. so->rx.len is
changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals
0 before alloc_skb() and equals 4096 after alloc_skb(). That will
trigger skb_over_panic() in skb_put().

=======================================================
CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0
RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113
Call Trace:
<TASK>
skb_over_panic net/core/skbuff.c:118 [inline]
skb_put.cold+0x24/0x24 net/core/skbuff.c:1990
isotp_rcv_cf net/can/isotp.c:570 [inline]
isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668
deliver net/can/af_can.c:574 [inline]
can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635
can_receive+0x31d/0x580 net/can/af_can.c:665
can_rcv+0x120/0x1c0 net/can/af_can.c:696
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465
__netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579

Therefore we make sure the state changes and data structures stay
consistent at CAN frame reception time by adding a spin_lock in
isotp_rcv(). This fixes the issue reported by syzkaller but does not
affect real world operation.

Solutions

rocky-upgrade-kernelrocky-upgrade-kernel-corerocky-upgrade-kernel-debugrocky-upgrade-kernel-debug-corerocky-upgrade-kernel-debug-debuginforocky-upgrade-kernel-debug-develrocky-upgrade-kernel-debug-devel-matchedrocky-upgrade-kernel-debug-modulesrocky-upgrade-kernel-debug-modules-corerocky-upgrade-kernel-debug-modules-extrarocky-upgrade-kernel-debug-uki-virtrocky-upgrade-kernel-debuginforocky-upgrade-kernel-debuginfo-common-s390xrocky-upgrade-kernel-debuginfo-common-x86_64rocky-upgrade-kernel-develrocky-upgrade-kernel-devel-matchedrocky-upgrade-kernel-modulesrocky-upgrade-kernel-modules-corerocky-upgrade-kernel-modules-extrarocky-upgrade-kernel-rtrocky-upgrade-kernel-rt-corerocky-upgrade-kernel-rt-debugrocky-upgrade-kernel-rt-debug-corerocky-upgrade-kernel-rt-debug-debuginforocky-upgrade-kernel-rt-debug-develrocky-upgrade-kernel-rt-debug-modulesrocky-upgrade-kernel-rt-debug-modules-corerocky-upgrade-kernel-rt-debug-modules-extrarocky-upgrade-kernel-rt-debuginforocky-upgrade-kernel-rt-develrocky-upgrade-kernel-rt-modulesrocky-upgrade-kernel-rt-modules-corerocky-upgrade-kernel-rt-modules-extrarocky-upgrade-kernel-toolsrocky-upgrade-kernel-tools-debuginforocky-upgrade-kernel-tools-libsrocky-upgrade-kernel-tools-libs-develrocky-upgrade-kernel-uki-virtrocky-upgrade-kernel-uki-virt-addonsrocky-upgrade-kernel-zfcpdumprocky-upgrade-kernel-zfcpdump-corerocky-upgrade-kernel-zfcpdump-debuginforocky-upgrade-kernel-zfcpdump-develrocky-upgrade-kernel-zfcpdump-devel-matchedrocky-upgrade-kernel-zfcpdump-modulesrocky-upgrade-kernel-zfcpdump-modules-corerocky-upgrade-kernel-zfcpdump-modules-extrarocky-upgrade-libperfrocky-upgrade-libperf-debuginforocky-upgrade-perfrocky-upgrade-perf-debuginforocky-upgrade-python3-perfrocky-upgrade-python3-perf-debuginforocky-upgrade-rtlarocky-upgrade-rv

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today