CVE-2022-0185
📋 TL;DR
CVE-2022-0185 is a heap-based buffer overflow vulnerability in the Linux kernel's Filesystem Context API legacy handling. It allows a local attacker to escalate privileges to root, potentially gaining full system control. Affected systems are those with unprivileged user namespaces enabled or where attackers have namespaced CAP_SYS_ADMIN privileges.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges, allowing complete control over the system, data theft, persistence installation, and lateral movement.
Likely Case
Local privilege escalation to root by authenticated users or processes with initial access, leading to system takeover.
If Mitigated
Limited impact if unprivileged user namespaces are disabled and proper access controls restrict CAP_SYS_ADMIN privileges.
🎯 Exploit Status
Multiple public proof-of-concept exploits exist. Exploitation requires local access and specific conditions but has been weaponized in real attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 5.16.3 and later
Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=722d94847de2
Restart Required: Yes
Instructions:
1. Update Linux kernel to version 5.16.3 or later. 2. For distributions: Use package manager to update kernel package (e.g., 'apt update && apt upgrade' for Debian/Ubuntu, 'yum update kernel' for RHEL/CentOS). 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable unprivileged user namespaces
linuxPrevents exploitation by unprivileged users by disabling the user namespace feature
echo 0 > /proc/sys/user/max_user_namespaces
sysctl -w user.max_user_namespaces=0
Restrict CAP_SYS_ADMIN
linuxLimit CAP_SYS_ADMIN privileges to prevent exploitation
Use Linux capabilities framework to restrict CAP_SYS_ADMIN: setcap -r /path/to/binary
Configure containers with reduced capabilities
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to vulnerable systems
- Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check kernel version: 'uname -r'. If version is between 5.1 and 5.16.2, system is vulnerable. Also check if unprivileged user namespaces are enabled: 'cat /proc/sys/user/max_user_namespaces' (non-zero means enabled).Check Version:
uname -rVerify Fix Applied:
After patching, verify kernel version is 5.16.3 or later with 'uname -r'. Test with known exploit PoC to confirm failure.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- OOM killer activity related to kernel processes
- Unusual privilege escalation in audit logs
- Failed mount operations with legacy filesystems
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
source="kernel" AND ("panic" OR "Oops" OR "general protection fault") OR source="audit" AND "cap_sys_admin" AND "escalation"🔗 References
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=722d94847de2
- https://github.com/Crusaders-of-Rust/CVE-2022-0185
- https://security.netapp.com/advisory/ntap-20220225-0003/
- https://www.openwall.com/lists/oss-security/2022/01/18/7
- https://www.willsroot.io/2022/01/cve-2022-0185.html
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=722d94847de2
- https://github.com/Crusaders-of-Rust/CVE-2022-0185
- https://security.netapp.com/advisory/ntap-20220225-0003/
- https://www.openwall.com/lists/oss-security/2022/01/18/7
- https://www.willsroot.io/2022/01/cve-2022-0185.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0185
