CVE-2022-49928: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49928 is a vulnerability in the Linux kernel's SUNRPC (Remote Procedure Call) subsystem that was disclosed on May 1, 2025. The vulnerability affects Linux kernel versions from 5.14 up to 5.15.78 and from 5.16 up to 6.0.8, including release candidates 6.1-rc1, 6.1-rc2, and 6.1-rc3 (NVD).

The vulnerability is characterized by a null pointer dereference that occurs when xps sysfs allocation fails in the SUNRPC subsystem. Specifically, the issue manifests in the sysfsdocreatelinksd function when the xprt_switch sysfs allocation fails and the system attempts to add xprt and switch sysfs to it. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can result in a system crash due to the null pointer dereference, potentially leading to a denial of service condition. The issue specifically affects the kernel's RPC (Remote Procedure Call) functionality, which is a critical component for network communications (Wiz).

The vulnerability has been addressed in the Linux kernel through a patch that implements proper initialization of the 'xps_sysfs' to NULL and adds checks to prevent adding xprt and switch sysfs when allocation fails. Red Hat Enterprise Linux 9 has deferred the fix, while some versions are not affected or are out of support scope (Wiz).