Login Sign Up

CVE-2022-0500

7.8 HIGH

📋 TL;DR

This vulnerability in the Linux kernel's BPF subsystem allows a local user to trigger an out-of-bounds memory write via the BPF_BTF_LOAD command. This can lead to system crashes or privilege escalation to root. Any system running an affected Linux kernel version with eBPF enabled is vulnerable.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Versions before specific fixes (varies by distribution, generally kernels before 5.16 with backports)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires CONFIG_BPF_SYSCALL=y and user with CAP_BPF or CAP_SYS_ADMIN capabilities (but unprivileged BPF may be enabled in some configurations)

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

H300e Firmware by Netapp

View all CVEs affecting H300e Firmware →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500e Firmware by Netapp

View all CVEs affecting H500e Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700e Firmware by Netapp

View all CVEs affecting H700e Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root privileges, leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Local user crashes the kernel causing denial of service, or gains elevated privileges for lateral movement within the system.

🟢

If Mitigated

With proper kernel hardening and restricted user access, impact is limited to denial of service from crashes.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly exploitable over network.
🏢 Internal Only: HIGH - Any local user account can potentially exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires local access and understanding of BPF/BTF internals. Proof-of-concept code exists in security research circles.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.16+ or distribution-specific backports

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2044578

Restart Required: Yes

Instructions:

1. Check your distribution's security advisories. 2. Update kernel package via package manager (yum update kernel, apt-get upgrade linux-image). 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable unprivileged BPF

linux

Prevents non-root users from using BPF features

sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled = 1' >> /etc/sysctl.d/99-bpf.conf

Restrict BPF via capabilities

linux

Remove CAP_BPF and CAP_PERFMON capabilities from users

setcap -r cap_bpf,cap_perfmon /path/to/binary
Use pam_cap to restrict capabilities system-wide

🧯 If You Can't Patch

  • Implement strict access controls to limit local user accounts
  • Monitor for unusual BPF_BTF_LOAD operations in kernel logs

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r and compare with distribution's patched versions. Check if /proc/sys/kernel/unprivileged_bpf_disabled is 0.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update matches patched version. Test with simple BPF program to confirm restrictions work.

📡 Detection & Monitoring

Log Indicators:

  • Kernel oops messages
  • Failed BPF_BTF_LOAD operations in audit logs
  • Unexpected privilege escalation events

Network Indicators:

  • None - local exploit only

SIEM Query:

source="kernel" AND ("BPF_BTF_LOAD" OR "general protection fault" OR "kernel panic")

📊 Metadata

CVE ID: CVE-2022-0500
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: March 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0500, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)