CVE-2022-48977

can: af_can: fix NULL pointer dereference in can_rcv_filter

Description

In the Linux kernel, the following vulnerability has been resolved: can: af_can: fix NULL pointer dereference in can_rcv_filter Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer dereference in can_rx_register()") we need to check for a missing initialization of ml_priv in the receive path of CAN frames. Since commit 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device") the check for dev->type to be ARPHRD_CAN is not sufficient anymore since bonding or tun netdevices claim to be CAN devices but do not initialize ml_priv accordingly.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/3982652957e8d79ac32efcb725450580650a8644 patch
https://git.kernel.org/stable/c/c42221efb1159d6a3c89e96685ee38acdce86b6f patch
https://git.kernel.org/stable/c/c142cba37de29f740a3852f01f59876af8ae462a patch
https://git.kernel.org/stable/c/fcc63f2f7ee3038d53216edd0d8291e57c752557 patch
https://git.kernel.org/stable/c/0acc442309a0a1b01bcdaa135e56e6398a49439c patch

Frequently Asked Questions

What is the severity of CVE-2022-48977?
CVE-2022-48977 has been scored as a medium severity vulnerability.
How to fix CVE-2022-48977?
To fix CVE-2022-48977, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-48977 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-48977 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-48977?
CVE-2022-48977 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.