CVE-2022-49076 – This is a use-after-free vulnerability in the L... (How to Fix)

Q: What is the severity of CVE-2022-49076?

CVE-2022-49076 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in the Linux kernel's RDMA hfi1 driver that occurs when cleaning up memory management structures. It allows local attackers to potentially cause kernel hangs or corrupt memory, leading to denial of service or privilege escalation. Systems using RDMA with hfi1 hardware and affected kernel versions are vulnerable.

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's RDMA hfi1 driver that occurs when cleaning up memory management structures. It allows local attackers to potentially cause kernel hangs or corrupt memory, leading to denial of service or privilege escalation. Systems using RDMA with hfi1 hardware and affected kernel versions are vulnerable.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific kernel versions with the vulnerable hfi1 driver code (check git commits for exact ranges)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when RDMA with hfi1 hardware is configured and in use. Systems without RDMA or hfi1 hardware are not affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, kernel panic causing system crash, or memory corruption enabling arbitrary code execution in kernel context.

🟠

Likely Case

Kernel hang or crash resulting in denial of service, requiring system reboot to recover functionality.

🟢

If Mitigated

Minimal impact if proper access controls prevent local users from triggering the vulnerable code path.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring access to the system, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local users or processes could exploit this, but requires specific RDMA/hfi1 usage patterns.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and specific conditions to trigger the use-after-free during MPI_Abort or similar cleanup scenarios.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing the fixes from the provided git commits

Vendor Advisory: https://git.kernel.org/stable/c/0b7186d657ee55e2cdefae498f07d5c1961e8023

Restart Required: Yes

Instructions:

1. Update to a kernel version containing the fixes. 2. Reboot the system to load the new kernel. 3. Verify the fix is applied by checking kernel version.

🔧 Temporary Workarounds

Disable RDMA hfi1 driver

Linux

Prevent loading of the vulnerable hfi1 driver module

echo 'blacklist hfi1' >> /etc/modprobe.d/blacklist-hfi1.conf
rmmod hfi1

Restrict local user access

all

Limit which users can run processes that might trigger the vulnerability

🧯 If You Can't Patch

Disable RDMA functionality if not required
Implement strict access controls to prevent local users from exploiting the vulnerability

🔍 How to Verify

Check if Vulnerable:

Check if hfi1 module is loaded: lsmod | grep hfi1. Check kernel version against affected ranges.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated beyond vulnerable versions. Check that the specific git commit fixes are included in your kernel.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
System hangs or crashes
dmesg errors related to hfi1, mmap_sem, or memory corruption

SIEM Query:

source="kernel" AND ("hfi1" OR "mmap_sem" OR "use-after-free")

📊 Metadata

CVE ID: CVE-2022-49076

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.04% exploit probability (10.3th percentile)

Published: February 26, 2025

Last Updated: March 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49076, you might also want to check these: