CVE-2022-49014
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's TUN/TAP network driver that occurs during device detachment. When exploited, it can cause kernel memory corruption leading to crashes, privilege escalation, or denial of service. Systems running vulnerable Linux kernel versions with TUN/TAP devices are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, potential privilege escalation to root, or remote code execution if combined with other vulnerabilities.
Likely Case
System instability, kernel crashes, or denial of service affecting network functionality.
If Mitigated
Limited impact if TUN/TAP devices are not in use or proper access controls prevent exploitation.
🎯 Exploit Status
Exploitation requires local access and CAP_NET_ADMIN privileges. The vulnerability was discovered through syzkaller fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commit 04b995e963229501401810dab89dc73e7f12d054 and backported to stable branches
Vendor Advisory: https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. For RHEL/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image-*. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Restrict TUN/TAP device creation
linuxLimit which users can create TUN/TAP devices by removing CAP_NET_ADMIN from unnecessary users/processes
setcap -r CAP_NET_ADMIN /path/to/binary
capsh --drop=cap_net_admin -- -c "your_command"
Disable TUN/TAP module
linuxPrevent loading of TUN/TAP kernel module if not required
echo "install tun /bin/false" >> /etc/modprobe.d/disable-tun.conf
rmmod tun
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from creating TUN/TAP devices
- Monitor for suspicious TUN/TAP device creation and kernel crash logs
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if TUN/TAP module is loaded: lsmod | grep tun && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is after fix commit: uname -r and check with distribution-specific advisory📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- KASAN reports of use-after-free in tun_detach()
- System crashes during network device detachment
Network Indicators:
- Unexpected TUN/TAP device creation
- Network service disruptions
SIEM Query:
source="kernel" AND ("KASAN" OR "use-after-free" OR "tun_detach" OR "kernel panic")🔗 References
- https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054
- https://git.kernel.org/stable/c/16c244bc65d1175775325ec0489a5a5c830e02c7
- https://git.kernel.org/stable/c/1f23f1890d91812c35d32eab1b49621b6d32dc7b
- https://git.kernel.org/stable/c/4cde8da2d814a3b7b176db81922d4ddaad7c0f0e
- https://git.kernel.org/stable/c/5daadc86f27ea4d691e2131c04310d0418c6cd12
- https://git.kernel.org/stable/c/5f442e1d403e0496bacb74a58e2be7f500695e6f
