CVE-2022-49333

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.18.0-rc7+

Description The issue is related to the Linux kernel, specifically with the mlx5 get next phys dev() function, which was called without holding the interface lock. This problem was identified when a commit added an assert that verifies the interface lock is held. The vulnerability is associated with the E-Switch and offloads pairing using devcom, which should only be possible on devices that support LAG.

Recommendations For Linux kernel versions prior to 5.18.0-rc7+, update to a version that includes the fix for the issue where mlx5 get next phys dev() was called without holding the interface lock. As a temporary workaround, consider disabling the mlx5 esw offloads devcom event() function until a patch is available. Restrict access to the vulnerable module mlx5 core to minimize the risk of exploitation. Avoid using the devcom parameter in the affected API endpoint until the issue is resolved.