CVE-2022-49582: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-49582 is a vulnerability in the Linux kernel's Distributed Switch Architecture (DSA) subsystem. The issue involves a NULL pointer dereference in the dsaportresetvlanfiltering function. The vulnerability was discovered when the 'ds' iterator variable used in dsaportresetvlanfiltering() -> dsaswitchforeachport() overwrites the 'dp' received as argument (Kernel Commit).

The vulnerability occurs when switches with vlanfilteringisglobal=true enter a specific code path, resulting in dereferencing an invalid dp in dsaportresetvlan_filtering() after leaving a VLAN-aware bridge. The issue stems from a variable overwrite problem where the iterator variable overwrites the function argument. According to Ubuntu's security assessment, this vulnerability has been assigned a CVSS 3 Severity Score of 5.5 (Medium) (Ubuntu Security).

When exploited, this vulnerability can lead to a NULL pointer dereference in the Linux kernel's networking subsystem, specifically affecting systems using the Distributed Switch Architecture (DSA) functionality. This could potentially result in system crashes or denial of service conditions.

The issue has been fixed by introducing a dedicated 'other_dp' iterator variable to avoid the variable overwrite problem. The fix was implemented in the Linux kernel through a patch that modifies the net/dsa/port.c file. The patch has been backported to various maintained kernel versions (Kernel Commit).