CVE-2022-49904: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49904 is a vulnerability discovered in the Linux kernel's networking subsystem, specifically affecting the neighbor table clearing functionality. The vulnerability was disclosed on May 1, 2025, and affects various versions of the Linux kernel. The issue occurs in the neightableclear() function when the IPv6 module initialization encounters an error (NVD).

The vulnerability manifests during IPv6 module initialization when an error occurs. The issue specifically arises in the cleanup process where neightableclear() calls neighifdown(tbl, NULL), which subsequently calls pneighqueuepurge(&tbl->proxyqueue, devnet(dev == NULL)). The devnet(NULL) call triggers a null pointer dereference. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Wiz).

When exploited, this vulnerability results in a kernel panic with KASAN reporting a null-ptr-deref in the range [0x0000000000000598-0x000000000000059f]. This leads to system instability and potential denial of service, affecting system availability (NVD).

The vulnerability has been patched by modifying the neighifdown() function to pass NULL to pneighqueue_purge() when dev is NULL, which prevents the kernel panic. This fix has been incorporated into various Linux kernel versions (NVD).