Login Sign Up

CVE-2022-24122

7.8 HIGH

📋 TL;DR

CVE-2022-24122 is a use-after-free vulnerability in the Linux kernel's ucount.c that allows privilege escalation when unprivileged user namespaces are enabled. A ucounts object can outlive its namespace, leading to memory corruption. This affects Linux systems with kernel versions 5.14 through 5.16.4 where unprivileged user namespaces are enabled.

💻 Affected Systems

Products:
  • Linux kernel
Versions: 5.14 through 5.16.4
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when unprivileged user namespaces are enabled (sysctl kernel.unprivileged_userns_clone=1). Many distributions disable this by default.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

H300e Firmware by Netapp

View all CVEs affecting H300e Firmware →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500e Firmware by Netapp

View all CVEs affecting H500e Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700e Firmware by Netapp

View all CVEs affecting H700e Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root privilege escalation allowing complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Local privilege escalation from unprivileged user to root, enabling lateral movement and further system exploitation.

🟢

If Mitigated

Limited impact if unprivileged user namespaces are disabled or proper kernel hardening is in place.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and unprivileged user namespace capability. Proof-of-concept code exists in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.16.5 and later

Vendor Advisory: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f9d87929d451d3e649699d0f1d74f71f77ad38f5

Restart Required: Yes

Instructions:

1. Update kernel to version 5.16.5 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable unprivileged user namespaces

linux

Prevents exploitation by disabling the vulnerable feature

echo 0 > /proc/sys/kernel/unprivileged_userns_clone
sysctl -w kernel.unprivileged_userns_clone=0

🧯 If You Can't Patch

  • Disable unprivileged user namespaces via sysctl
  • Implement strict access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If between 5.14 and 5.16.4, check if unprivileged user namespaces are enabled: sysctl kernel.unprivileged_userns_clone

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.16.5 or later: uname -r. Confirm patch is applied by checking kernel changelog or verifying commit f9d87929d451d3e649699d0f1d74f71f77ad38f5 is present.

📡 Detection & Monitoring

Log Indicators:

  • Kernel oops messages related to ucount.c
  • Unexpected privilege escalation events in audit logs
  • Failed namespace creation attempts

Network Indicators:

  • Unusual outbound connections from previously unprivileged users

SIEM Query:

source="kernel" AND ("ucount" OR "use-after-free") OR event_type="privilege_escalation" AND user_namespace="true"

📊 Metadata

CVE ID: CVE-2022-24122
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: January 29, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24122, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)