CVE-2022-49064
📋 TL;DR
A Linux kernel vulnerability in the cachefiles subsystem where error paths fail to clear the 'in-use' flag on inodes, causing resource leakage. This can lead to denial-of-service conditions where legitimate operations fail with 'Inode already in use' errors. Affects systems using the cachefiles module, typically those with network filesystem caching enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Persistent denial-of-service where cachefiles operations fail completely, potentially disrupting network filesystem access and causing application failures.
Likely Case
Intermittent 'Inode already in use' errors during cache operations, leading to degraded performance and occasional file access failures.
If Mitigated
Minor performance impact with occasional cache misses but no service disruption.
🎯 Exploit Status
Exploitation requires ability to trigger specific error conditions in cachefiles operations, typically requiring local access or control over cache operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits b2055abafd3d4ee0376fb3eed5cae866316995a1 and ea5dc046127e857a7873ae55fd57c866e9e86fb2
Vendor Advisory: https://git.kernel.org/stable/c/b2055abafd3d4ee0376fb3eed5cae866316995a1
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify cachefiles module loads correctly.
🔧 Temporary Workarounds
Disable cachefiles module
linuxUnload the cachefiles kernel module to prevent exploitation
sudo modprobe -r cachefiles
Blacklist cachefiles module
linuxPrevent cachefiles module from loading at boot
echo 'blacklist cachefiles' | sudo tee /etc/modprobe.d/blacklist-cachefiles.conf
🧯 If You Can't Patch
- Monitor system logs for 'Inode already in use' warnings from cachefiles
- Implement process monitoring to detect abnormal cachefiles behavior
🔍 How to Verify
Check if Vulnerable:
Check if cachefiles module is loaded: lsmod | grep cachefiles. If loaded, check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits: uname -r and check with distribution vendor. Test cachefiles operations after patch.📡 Detection & Monitoring
Log Indicators:
- kernel logs containing 'cachefiles: Inode already in use'
- increased cachefiles error messages in dmesg
Network Indicators:
- Increased network filesystem latency if cache operations fail
SIEM Query:
source="kernel" AND "cachefiles" AND ("Inode already in use" OR error)