Login Sign Up

CVE-2022-23222

7.8 HIGH

📋 TL;DR

This vulnerability in the Linux kernel's BPF verifier allows local users to perform privilege escalation through pointer arithmetic with certain *_OR_NULL pointer types. It affects Linux kernel versions through 5.15.14, enabling attackers with local access to gain root privileges on vulnerable systems.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Versions through 5.15.14
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires BPF functionality enabled (default in most distributions). Systems with unprivileged BPF disabled via kernel.unprivileged_bpf_disabled=1 are less vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

H300e Firmware by Netapp

View all CVEs affecting H300e Firmware →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500e Firmware by Netapp

View all CVEs affecting H500e Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700e Firmware by Netapp

View all CVEs affecting H700e Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing complete control over the affected system, data exfiltration, and lateral movement.

🟠

Likely Case

Local privilege escalation from an unprivileged user to root, enabling installation of persistent malware, credential theft, and system manipulation.

🟢

If Mitigated

Limited impact if proper access controls restrict local user accounts and kernel hardening measures are implemented.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly exploitable over network.
🏢 Internal Only: HIGH - Any local user account (including compromised applications) can potentially exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and understanding of BPF pointer arithmetic. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.15.15 and later

Vendor Advisory: https://www.kernel.org/

Restart Required: Yes

Instructions:

1. Update kernel to version 5.15.15 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable unprivileged BPF

linux

Prevents unprivileged users from using BPF, reducing attack surface

sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled=1' >> /etc/sysctl.conf
sysctl -p

🧯 If You Can't Patch

  • Restrict local user access and implement strict privilege separation
  • Monitor for suspicious privilege escalation attempts and BPF-related system calls

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is 5.15.14 or earlier, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

After update, verify kernel version is 5.15.15 or later with uname -r

📡 Detection & Monitoring

Log Indicators:

  • Failed privilege escalation attempts
  • Unusual BPF program loads
  • Kernel oops or crashes

Network Indicators:

  • None - local exploit only

SIEM Query:

Process where (parent_process_name contains "bash" or parent_process_name contains "sh") and process_name contains "uname" and command_line contains "-r"

📊 Metadata

CVE ID: CVE-2022-23222
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-476
Published: January 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23222, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)