CVE-2022-48827
📋 TL;DR
A Linux kernel NFS server vulnerability where reading files near the maximum offset (OFFSET_MAX) causes an integer overflow, returning an invalid error that triggers infinite retries from NFS clients. This affects Linux systems running NFSD with large files. The vulnerability can cause denial of service through resource exhaustion.
💻 Affected Systems
- Linux kernel NFS server (nfsd)
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
NFS clients enter infinite retry loops, consuming server resources and causing denial of service for NFS services, potentially affecting all NFS-mounted filesystems.
Likely Case
NFS clients experience connection issues and retry storms when accessing very large files near the 8EB limit, causing performance degradation and service disruption.
If Mitigated
Limited to specific NFS operations on extremely large files, with minimal impact if such files don't exist or NFS isn't used.
🎯 Exploit Status
Exploitation requires NFS access to trigger specific read operations. The vulnerability is triggered by normal client operations on large files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel stable releases containing commits 0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960 and related fixes
Vendor Advisory: https://git.kernel.org/stable/c/0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify NFS services restart properly.
🔧 Temporary Workarounds
Disable NFS server
linuxTemporarily disable NFS server if not required
systemctl stop nfs-server
systemctl disable nfs-server
Limit NFS access
linuxRestrict NFS access to trusted clients only
Edit /etc/exports to limit client access
Use firewall rules: iptables -A INPUT -p tcp --dport 2049 -s trusted_ip -j ACCEPT
🧯 If You Can't Patch
- Monitor NFS server logs for EINVAL errors and client retry patterns
- Implement rate limiting on NFS connections to mitigate retry storm impact
🔍 How to Verify
Check if Vulnerable:
Check kernel version: uname -r and compare with distribution's patched versions. Check if NFS server is running: systemctl status nfs-serverCheck Version:
uname -rVerify Fix Applied:
Verify kernel version after update and test NFS read operations on large files near offset limit📡 Detection & Monitoring
Log Indicators:
- NFS server logs showing EINVAL errors
- Client retry messages in NFS client logs
- Increased NFS request rates
Network Indicators:
- Spike in NFS protocol traffic
- Repeated NFS READ requests from same clients
SIEM Query:
source="nfsd.log" AND "EINVAL" OR source="kernel.log" AND "NFS.*overflow"🔗 References
- https://git.kernel.org/stable/c/0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960
- https://git.kernel.org/stable/c/1726a39b0879acfb490b22dca643f26f4f907da9
- https://git.kernel.org/stable/c/44502aca8e02ab32d6b0eb52e006a5ec9402719b
- https://git.kernel.org/stable/c/c6eff5c4277146a78b4fb8c9b668dd64542c41b0
- https://git.kernel.org/stable/c/0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960
- https://git.kernel.org/stable/c/1726a39b0879acfb490b22dca643f26f4f907da9
- https://git.kernel.org/stable/c/44502aca8e02ab32d6b0eb52e006a5ec9402719b
- https://git.kernel.org/stable/c/c6eff5c4277146a78b4fb8c9b668dd64542c41b0
