CVE-2022-28653 – CVE-2022-28653 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-28653?

CVE-2022-28653 has a CVSS score of 7.5 (HIGH). CVE-2022-28653 is a denial-of-service vulnerability where users can fill the /var/crash directory with crash reports, consuming unlimited disk space. This affects systems with crash reporting enabled where users have write access to crash directories. The vulnerability can lead to system instability and service disruption.

📋 TL;DR

CVE-2022-28653 is a denial-of-service vulnerability where users can fill the /var/crash directory with crash reports, consuming unlimited disk space. This affects systems with crash reporting enabled where users have write access to crash directories. The vulnerability can lead to system instability and service disruption.

💻 Affected Systems

Products:

Linux systems with crash reporting utilities

Versions: Various versions prior to patches in 2022

Operating Systems: Linux distributions with crash reporting enabled

Default Config Vulnerable: ⚠️ Yes

Notes: Requires crash reporting tools like abrt, apport, or systemd-coredump to be installed and configured. Systems without crash reporting are not affected.

📦 What is this software?

Apport by Canonical

View all CVEs affecting Apport →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disk exhaustion causing system crashes, service failures, and potential data loss as critical system processes cannot write to disk.

🟠

Likely Case

Degraded system performance, application failures, and service interruptions requiring manual cleanup and system restarts.

🟢

If Mitigated

Minimal impact with proper disk monitoring, quotas, and user access controls preventing abuse.

🌐 Internet-Facing: LOW - Typically requires local user access or authenticated remote access to exploit.

🏢 Internal Only: MEDIUM - Malicious or compromised internal users could intentionally crash systems to cause disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user access to trigger crashes and write to /var/crash. The vulnerability is in crash report handling, not in triggering crashes themselves.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by distribution - check vendor advisories

Vendor Advisory: https://www.cve.org/CVERecord?id=CVE-2022-28653

Restart Required: No

Instructions:

1. Check your Linux distribution's security advisories. 2. Update crash reporting packages (abrt, apport, systemd-coredump). 3. Apply patches via standard package manager (apt, yum, dnf). 4. Verify crash reporting services are functioning correctly.

🔧 Temporary Workarounds

Implement disk quotas on /var/crash

Linux

Limit the amount of disk space users can consume in the crash directory

# Set quota for /var/crash
# Install quota tools if needed
# Edit /etc/fstab to add usrquota,grpquota to /var/crash partition
# remount filesystem
# Initialize quotas: quotacheck -cug /var/crash
# Enable quotas: quotaon /var/crash
# Set user limits: edquota -u username

Disable crash reporting

Linux

Turn off automatic crash reporting if not needed

# For systemd-coredump: systemctl disable systemd-coredump.socket systemd-coredump.service
# For abrt: systemctl disable abrtd.service abrt-oops.service
# For apport: echo 'enabled=0' > /etc/default/apport

🧯 If You Can't Patch

Implement filesystem monitoring and alerts for /var/crash directory growth
Regularly clean old crash reports and implement retention policies

🔍 How to Verify

Check if Vulnerable:

Check if crash reporting is enabled and if /var/crash directory exists with world-writable permissions: ls -ld /var/crash && df -h /var/crash

Check Version:

# For systemd-coredump: systemd-coredump --version
# For abrt: abrtd --version
# For apport: apport-cli --version
# Check package versions: rpm -qa | grep -E '(abrt|apport|coredump)' or dpkg -l | grep -E '(abrt|apport|coredump)'

Verify Fix Applied:

Check package versions of crash reporting tools and verify they're updated. Test by triggering a crash (if safe) and checking crash report handling.

📡 Detection & Monitoring

Log Indicators:

Rapid growth in /var/crash directory size logs
Multiple crash reports from same user in short time
Disk space alerts for /var partition

Network Indicators:

None - this is a local filesystem vulnerability

SIEM Query:

Search for: 'disk space critical' OR 'filesystem full' AND '/var/crash' OR multiple 'core dumped' events from same source

📊 Metadata

CVE ID: CVE-2022-28653

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: January 31, 2025

Last Updated: August 26, 2025

🔗 References

https://www.cve.org/CVERecord?id=CVE-2022-28653 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON