CVE-2022-28796

Q: What is the severity of CVE-2022-28796?

CVE-2022-28796 has a CVSS score of 7.0 (HIGH). CVE-2022-28796 is a use-after-free vulnerability in the Linux kernel's jbd2 journaling subsystem caused by a transaction_t race condition. This allows local attackers to potentially escalate privileges or cause denial of service. Systems running Linux kernel versions before 5.17.1 are affected.

7.0 HIGH

Denial of Service

📋 TL;DR

CVE-2022-28796 is a use-after-free vulnerability in the Linux kernel's jbd2 journaling subsystem caused by a transaction_t race condition. This allows local attackers to potentially escalate privileges or cause denial of service. Systems running Linux kernel versions before 5.17.1 are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: All versions before 5.17.1

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using ext4 or other filesystems with jbd2 journaling enabled. Most modern Linux distributions use this by default for ext4.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Solidfire \& Hci Management Node by Netapp

View all CVEs affecting Solidfire \& Hci Management Node →

Solidfire\, Enterprise Sds \& Hci Storage Node by Netapp

View all CVEs affecting Solidfire\, Enterprise Sds \& Hci Storage Node →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, kernel panic leading to system crash, or arbitrary code execution in kernel context.

🟠

Likely Case

Kernel panic causing system instability or denial of service, potentially leading to data corruption in journaled filesystems.

🟢

If Mitigated

Limited impact if proper access controls restrict local user accounts and system runs with minimal privileges.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: MEDIUM - Internal users with shell access could exploit this to escalate privileges or cause system instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires local access and precise timing to trigger the race condition. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.17.1 and later

Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.1

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.17.1 or later. 2. For distributions: Use package manager (apt-get upgrade linux-image, yum update kernel, etc.). 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable jbd2 journaling

linux

Temporarily disable journaling on ext4 filesystems (not recommended for production due to data integrity risks)

tune2fs -O ^has_journal /dev/sdX
e2fsck -f /dev/sdX

Restrict local user access

all

Limit shell access and local login capabilities to trusted users only

🧯 If You Can't Patch

Implement strict access controls to limit local user accounts and shell access
Monitor system logs for kernel panic events and unauthorized privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check kernel version with 'uname -r'. If version is earlier than 5.17.1, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

After patching, verify kernel version is 5.17.1 or later with 'uname -r' and check system stability.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/kern.log or dmesg
Unexpected privilege escalation events in audit logs
System crash/reboot events

Network Indicators:

None - this is a local vulnerability

SIEM Query:

source="kern.log" AND "kernel panic" OR source="audit.log" AND "privilege escalation"

📊 Metadata

CVE ID: CVE-2022-28796

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

Published: April 8, 2022

Last Updated: November 21, 2024

🔗 References

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.1 Release Notes,Vendor Advisory
https://github.com/torvalds/linux/commit/cc16eecae687912238ee6efbff71ad31e2bc414e Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220506-0006/ Third Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.1 Release Notes,Vendor Advisory
https://github.com/torvalds/linux/commit/cc16eecae687912238ee6efbff71ad31e2bc414e Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220506-0006/ Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Fedora by Fedoraproject

H300e Firmware by Netapp

H300s Firmware by Netapp

H410c Firmware by Netapp

H410s Firmware by Netapp

H500e Firmware by Netapp

H500s Firmware by Netapp

H700e Firmware by Netapp

H700s Firmware by Netapp

Hci Compute Node Firmware by Netapp