CVE-2022-1975 Overview
CVE-2022-1975 is a race condition vulnerability affecting the Linux kernel's NFC (Near Field Communication) netlink subsystem. The vulnerability exists in /net/nfc/netlink.c and manifests as a sleep-in-atomic bug that allows a local attacker to crash the Linux kernel by simulating an NFC device from user-space. This flaw can lead to a denial of service condition, causing system instability or complete system crashes.
Critical Impact
Local attackers can exploit this vulnerability to cause a kernel panic and system crash, resulting in denial of service. The bug occurs when code attempts to sleep (via GFP_KERNEL allocation) while in an atomic context, violating Linux kernel concurrency rules.
Affected Products
- Linux Kernel version 5.18-rc6
- Linux Kernel versions with NFC netlink functionality enabled
- Systems with NFC device simulation capabilities from user-space
Discovery Timeline
- 2022-08-31 - CVE-2022-1975 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-1975
Vulnerability Analysis
This vulnerability is classified as a race condition, specifically a "sleep-in-atomic" bug. In the Linux kernel, atomic contexts (such as interrupt handlers, spinlock-protected regions, and certain callback functions) are not permitted to perform operations that might sleep or block. The vulnerable code in /net/nfc/netlink.c incorrectly uses GFP_KERNEL flag for memory allocation during a firmware download timeout scenario, which can potentially sleep while waiting for memory to become available.
The flaw allows local users with the ability to simulate NFC devices from user-space to trigger the bug. When the kernel attempts to allocate memory using nlmsg_new() with the GFP_KERNEL flag while in an atomic context, it violates fundamental kernel concurrency constraints, leading to a kernel panic or system crash.
Root Cause
The root cause of this vulnerability is an improper memory allocation flag in the NFC netlink code. The nlmsg_new() function was called with GFP_KERNEL, which allows the kernel to sleep while waiting for memory. However, this function was being called from a context that required atomic (non-sleeping) operations. The fix involves changing the allocation flag from GFP_KERNEL to GFP_ATOMIC, which guarantees the allocation will not sleep.
Attack Vector
The attack vector is local, requiring an attacker to have authenticated access to the target system. The attacker can exploit this vulnerability by:
- Simulating an NFC device from user-space
- Triggering a firmware download timeout scenario
- Causing the kernel to enter the vulnerable code path where the sleep-in-atomic condition occurs
- Resulting in a kernel panic and system denial of service
The following patch shows the security fix applied to address this vulnerability:
struct sk_buff *msg;
void *hdr;
- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
if (!msg)
return -ENOMEM;
Source: Linux Kernel Commit 4071bf1
Detection Methods for CVE-2022-1975
Indicators of Compromise
- Unexpected kernel panics or system crashes with call traces involving /net/nfc/netlink.c
- System logs showing "BUG: sleeping function called from invalid context" messages
- Kernel oops messages referencing NFC netlink functions
- Abnormal NFC device simulation activity from unprivileged user accounts
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for sleep-in-atomic warnings or BUG messages related to NFC subsystem
- Implement audit rules to track NFC-related system calls and netlink socket operations
- Deploy kernel crash dump analysis to identify exploitation attempts
- Use kernel tracing tools (ftrace, eBPF) to monitor atomic context violations in NFC code paths
Monitoring Recommendations
- Configure kernel panic logging to capture detailed stack traces for post-incident analysis
- Enable kernel debugging options like CONFIG_DEBUG_ATOMIC_SLEEP in development/testing environments to proactively detect similar issues
- Monitor for unusual user-space processes attempting to interact with NFC subsystem interfaces
- Implement SentinelOne's Singularity platform for real-time kernel-level threat detection and response
How to Mitigate CVE-2022-1975
Immediate Actions Required
- Update the Linux kernel to a version containing the security patch (commit 4071bf121d59944d5cd2238de0642f3d7995a997)
- If immediate patching is not possible, consider disabling NFC functionality if not required
- Restrict local user access to prevent untrusted users from interacting with NFC subsystems
- Review and limit permissions for NFC device simulation capabilities
Patch Information
The official fix has been merged into the Linux kernel source tree. The patch modifies /net/nfc/netlink.c to use GFP_ATOMIC instead of GFP_KERNEL for memory allocation in the affected code path. This ensures that the allocation will not sleep, making it safe for use in atomic contexts. System administrators should apply kernel updates from their distribution vendors that include this fix. For reference, the patch is available at the Linux kernel commit repository.
Workarounds
- Disable NFC support in the kernel by blacklisting NFC-related modules (nfc, nfc_digital, nfc_shdlc)
- Use kernel module parameters or boot options to prevent NFC module loading
- Implement access controls to restrict which users can interact with NFC netlink interfaces
- Consider using SELinux or AppArmor policies to confine NFC-related operations
# Disable NFC kernel modules as a temporary workaround
echo "blacklist nfc" >> /etc/modprobe.d/disable-nfc.conf
echo "blacklist nfc_digital" >> /etc/modprobe.d/disable-nfc.conf
echo "blacklist nfc_shdlc" >> /etc/modprobe.d/disable-nfc.conf
# Unload currently loaded NFC modules (if any)
modprobe -r nfc_digital nfc_shdlc nfc 2>/dev/null
# Verify modules are not loaded
lsmod | grep nfc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
