CVE-2022-48748: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-48748 is a memory leak vulnerability discovered in the Linux kernel's Network Bridge VLAN functionality. The vulnerability was disclosed on June 20, 2024, affecting the Linux kernel version 5.6. The issue occurs in the _allowedingress function when using per-vlan state with disabled vlan snooping and stats (NVD, ASEC).

The vulnerability stems from a memory leak in the _allowedingress function of the Network Bridge VLAN implementation. When using per-vlan state with disabled vlan snooping and stats, untagged or priority-tagged ingress frames are checked against the pvid state. If the port state is forwarding and the pvid state is not learning/forwarding, the frame is dropped but the skb memory is not properly freed. The issue was introduced by commit a580c76d534c ("net: bridge: vlan: add per-vlan state"). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) (Kernel Git, NVD).

The vulnerability can lead to memory leaks in the Linux kernel when processing VLAN traffic on network bridges. This could potentially result in system resource exhaustion over time, affecting system stability and performance (ASEC).

The vulnerability has been fixed in multiple Linux kernel versions including 5.10.96, 5.15.19, 5.16.5, and 5.17. The fix involves properly freeing the skb memory when _allowedingress returns false. Users are advised to update their Linux kernel to the patched versions (ASEC).