{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-48870", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-16T11:38:08.921Z", "datePublished": "2024-08-21T06:10:00.678Z", "dateUpdated": "2026-05-11T18:48:45.319Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T18:48:45.319Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n <TASK>\n spk_ttyio_release+0x19/0x70 [speakup]\n synth_release.part.6+0xac/0xc0 [speakup]\n synth_remove+0x56/0x60 [speakup]\n __x64_sys_delete_module+0x156/0x250\n ? fpregs_assert_state_consistent+0x1d/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n </TASK>\n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accessibility/speakup/spk_ttyio.c"], "versions": [{"version": "4f2a81f3a88217e7340b2cab5c0a5ebd0112514c", "lessThan": "2da67bff29ab49caafb0766e8b8383b735ff796f", "status": "affected", "versionType": "git"}, {"version": "4f2a81f3a88217e7340b2cab5c0a5ebd0112514c", "lessThan": "64152e05a4de3ebf59f1740a0985a6d5fba0c77b", "status": "affected", "versionType": "git"}, {"version": "4f2a81f3a88217e7340b2cab5c0a5ebd0112514c", "lessThan": "5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accessibility/speakup/spk_ttyio.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.90", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.8", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "5.15.90"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.1.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f"}, {"url": "https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b"}, {"url": "https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5"}], "title": "tty: fix possible null-ptr-defer in spk_ttyio_release", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48870", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:05:32.027830Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:32:54.375Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48870", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:05:32.027830Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:11.943Z"}}], "cna": {"title": "tty: fix possible null-ptr-defer in spk_ttyio_release", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4f2a81f3a88217e7340b2cab5c0a5ebd0112514c", "lessThan": "2da67bff29ab49caafb0766e8b8383b735ff796f", "versionType": "git"}, {"status": "affected", "version": "4f2a81f3a88217e7340b2cab5c0a5ebd0112514c", "lessThan": "64152e05a4de3ebf59f1740a0985a6d5fba0c77b", "versionType": "git"}, {"status": "affected", "version": "4f2a81f3a88217e7340b2cab5c0a5ebd0112514c", "lessThan": "5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5", "versionType": "git"}], "programFiles": ["drivers/accessibility/speakup/spk_ttyio.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.12"}, {"status": "unaffected", "version": "0", "lessThan": "5.12", "versionType": "semver"}, {"status": "unaffected", "version": "5.15.90", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.8", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.2", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/accessibility/speakup/spk_ttyio.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f"}, {"url": "https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b"}, {"url": "https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n <TASK>\n spk_ttyio_release+0x19/0x70 [speakup]\n synth_release.part.6+0xac/0xc0 [speakup]\n synth_remove+0x56/0x60 [speakup]\n __x64_sys_delete_module+0x156/0x250\n ? fpregs_assert_state_consistent+0x1d/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n </TASK>\n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:09:33.340Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48870", "state": "PUBLISHED", "dateUpdated": "2024-12-19T08:09:33.340Z", "dateReserved": "2024-07-16T11:38:08.921Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-21T06:10:00.678Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "82544A71-562D-4C2F-B75E-7193C3B97CD0", "versionEndExcluding": "5.15.90", "versionStartIncluding": "5.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6AFE6C9-3F59-4711-B2CF-7D6682FF6BD0", "versionEndExcluding": "6.1.8", "versionStartIncluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n <TASK>\n spk_ttyio_release+0x19/0x70 [speakup]\n synth_release.part.6+0xac/0xc0 [speakup]\n synth_remove+0x56/0x60 [speakup]\n __x64_sys_delete_module+0x156/0x250\n ? fpregs_assert_state_consistent+0x1d/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n </TASK>\n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tty: corrige posible null-ptr-defer en spk_ttyio_release Ejecute las siguientes pruebas en la plataforma qemu: syzkaller:~# modprobe Speakup_audptr input: Speakup as /devices/virtual/input/input4 dispositivo inicializado: /dev/synth, nodo (MAJOR 10, MINOR 125) Speakup 3.1.6: el nombre del sintetizador inicializado en la entrada es: (nulo) la sonda de sintetizador spk_ttyio_initialise_ldisc fall\u00f3 porque tty_kopen_exclusive devolvi\u00f3 un error (errno -16), luego elimine el m\u00f3dulo, obtendremos un problema de aplazamiento de ptr nulo, como sigue: syzkaller:~# modprobe -r Speakup_audptr liberando sintetizador audptr ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000080 #PF: acceso de escritura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0002 ) - p\u00e1gina no presente PGD 0 P4D 0 Ups: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 204 Comm: modprobe No contaminado 6.1.0-rc6-dirty #1 RIP: 0010:mutex_lock+0x14/0x30 Llamada Seguimiento: spk_ttyio_release+0x19/0x70 [speakup] synth_release.part.6+0xac/0xc0 [speakup] synth_remove+0x56/0x60 [speakup] __x64_sys_delete_module+0x156/0x250? fpregs_assert_state_consistent+0x1d/0x50 do_syscall_64+0x37/0x90 entry_syscall_64_after_hwframe+0x63/0xcd m\u00f3dulos vinculados en: sheakup_audptr (-) volcando ftrace b\u00fafer: in_synth-&gt;&gt; nth-&gt; dev para corregir este error."}], "id": "CVE-2022-48870", "lastModified": "2024-09-06T14:20:52.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-21T07:15:04.143", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: tty: fix possible null-ptr-defer in spk_ttyio_release", "id": "2306391", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2306391"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntty: fix possible null-ptr-defer in spk_ttyio_release\nRun the following tests on the qemu platform:\nsyzkaller:~# modprobe speakup_audptr\ninput: Speakup as /devices/virtual/input/input4\ninitialized device: /dev/synth, node (MAJOR 10, MINOR 125)\nspeakup 3.1.6: initialized\nsynth name on entry is: (null)\nsynth probe\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\nsyzkaller:~# modprobe -r speakup_audptr\nreleasing synth audptr\nBUG: kernel NULL pointer dereference, address: 0000000000000080\n#PF: supervisor write access in kernel mode\n#PF: error_code(0x0002) - not-present page\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\nRIP: 0010:mutex_lock+0x14/0x30\nCall Trace:\n<TASK>\nspk_ttyio_release+0x19/0x70 [speakup]\nsynth_release.part.6+0xac/0xc0 [speakup]\nsynth_remove+0x56/0x60 [speakup]\n__x64_sys_delete_module+0x156/0x250\n? fpregs_assert_state_consistent+0x1d/0x50\ndo_syscall_64+0x37/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n</TASK>\nModules linked in: speakup_audptr(-) speakup\nDumping ftrace buffer:\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48870", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48870\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48870\nhttps://lore.kernel.org/linux-cve-announce/2024082105-CVE-2022-48870-3fcb@gregkh/T"], "statement": "Red Hat Enterprise Linux is not impacted by this CVE, as the vulnerability in question does not affect the specific versions or configurations of the Linux kernel used in its distributions. This ensures that users of Red Hat Enterprise Linux are not exposed to the potential risks associated with this issue, and no further action or mitigation is necessary for systems running this operating system.", "threat_severity": "Moderate"}

{}