CVE-2022-48687: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-48687 is a vulnerability in the Linux kernel's IPv6 Segment Routing (SRv6) implementation. The vulnerability was discovered in the HMAC data configuration functionality of the SRv6 layer, which is used to sign IPv6 Segment Routing Headers. The issue was first disclosed on May 3, 2024, affecting multiple versions of the Linux kernel from 4.10 through 5.19.9 (NVD).

The vulnerability stems from an out-of-bounds read condition in the net/ipv6/seg6.c file. The SRv6 layer uses four netlink attributes (SEG6ATTRHMACKEYID, SEG6ATTRSECRET, SEG6ATTRSECRETLEN, and SEG6ATTRALGID) for HMAC data configuration. The issue arises because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, allowing invalid combinations such as an empty secret with a length of 64 bytes. This can lead to an out-of-bounds read of up to 64 bytes past the skb end pointer and into skbsharedinfo. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows an attacker to perform an out-of-bounds read of up to 64 bytes of kernel memory. The exposed data can be read back from userspace by dumping HMAC state, potentially leading to information disclosure from the kernel (NVD).

The vulnerability has been fixed by adding a check to ensure SECRETLEN cannot exceed the actual length of SECRET. The fix has been implemented in the Linux kernel, and affected users should update to a patched version. Red Hat has confirmed the fix is included in Red Hat Enterprise Linux 9 (Red Hat).