vulnerability
Ubuntu: (CVE-2022-49726): linux vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:S/C:N/I:N/A:C) | Feb 26, 2025 | Mar 3, 2025 | Oct 27, 2025 |
Description
In the Linux kernel, the following vulnerability has been resolved:
clocksource: hyper-v: unexport __init-annotated hv_init_clocksource()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it has been broken for a decade.
Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.
There are two ways to fix it:
- Remove __init
- Remove EXPORT_SYMBOL
I chose the latter for this case because the only in-tree call-site,
arch/x86/kernel/cpu/mshyperv.c is never compiled as modular.
(CONFIG_HYPERVISOR_GUEST is boolean)
Solutions
References
- CVE-2022-49726
- https://attackerkb.com/topics/CVE-2022-49726
- CWE-908
- URL-https://git.kernel.org/linus/245b993d8f6c4e25f19191edfbd8080b645e12b1
- URL-https://git.kernel.org/stable/c/0414eab7c78f3518143d383e448d44fc573ac6d2
- URL-https://git.kernel.org/stable/c/245b993d8f6c4e25f19191edfbd8080b645e12b1
- URL-https://git.kernel.org/stable/c/937fcbb55a1e48a6422e87e8f49422c92265f102
- URL-https://git.kernel.org/stable/c/cff3a7ce6e81418b6e8bac941779bbf5d342d626
- URL-https://git.kernel.org/stable/c/db965e2757d95f695e606856418cd84003dd036d
- URL-https://www.cve.org/CVERecord?id=CVE-2022-49726
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.