CVE-2022-49086
📋 TL;DR
A memory leak vulnerability in the Linux kernel's Open vSwitch module allows attackers to cause denial of service through resource exhaustion. When parsing nested actions in network flows, the module fails to properly free allocated memory, leading to gradual memory depletion. Systems using Open vSwitch for network virtualization are affected.
💻 Affected Systems
- Linux kernel with Open vSwitch module
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete system memory exhaustion leading to kernel panic and system crash, disrupting all network traffic through Open vSwitch.
Likely Case
Gradual memory depletion causing performance degradation, packet loss, and eventual service disruption for Open vSwitch-managed networks.
If Mitigated
Minimal impact with proper monitoring and memory limits in place, though some performance degradation may still occur.
🎯 Exploit Status
Exploitation requires ability to create or modify Open vSwitch flows with nested actions. Typically requires some level of access to the OVS control plane.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel versions containing commits 1f30fb9166d4f15a1aa19449b9da871fe0ed4796 or later
Vendor Advisory: https://git.kernel.org/stable/c/1f30fb9166d4f15a1aa19449b9da871fe0ed4796
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. For RHEL/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Limit Open vSwitch flow creation
linuxRestrict who can create/modify Open vSwitch flows to prevent malicious flow injection
ovs-vsctl set-manager ptcp:6640 -- set-controller br0 tcp:127.0.0.1:6653
Configure OVS access controls via OpenFlow controllers
Monitor memory usage
linuxImplement aggressive memory monitoring and alerting for OVS processes
watch -n 5 'ps aux | grep ovs'
Configure monitoring for /proc/[ovs-pid]/status memory metrics
🧯 If You Can't Patch
- Implement strict flow validation to reject nested actions in ct() and set() operations
- Deploy memory cgroups with hard limits on OVS processes to contain memory leak impact
🔍 How to Verify
Check if Vulnerable:
Check kernel version and verify if Open vSwitch module is loaded: lsmod | grep openvswitch && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is after fix commits and test with flow creation containing nested actions while monitoring memory usage📡 Detection & Monitoring
Log Indicators:
- Kernel OOM (Out of Memory) messages in dmesg
- Rapid increase in OVS process memory usage in system logs
- Failed flow creation attempts with nested actions
Network Indicators:
- Unusual flow creation patterns in OVS
- Increased packet loss in OVS-managed networks
SIEM Query:
process_name="ovs-vswitchd" AND memory_usage_increase_percent>50 AND time_window=5min🔗 References
- https://git.kernel.org/stable/c/1f30fb9166d4f15a1aa19449b9da871fe0ed4796
- https://git.kernel.org/stable/c/3554c214b83ec9a839ed574263a34218f372990c
- https://git.kernel.org/stable/c/53bce9d19b0a9d245b25cd050b81652ed974a509
- https://git.kernel.org/stable/c/5ae05b5eb58773cfec307ff88aff4cfd843c4cff
- https://git.kernel.org/stable/c/7438dc55c0709819b813f4778aec2c48b782990b
- https://git.kernel.org/stable/c/837b96d8103938e35e7d92cd9db96af914ca4fff
- https://git.kernel.org/stable/c/ef6f9ce0a79aa23b10fc5f3b3cab3814a25aac40
