CVE-2022-49093
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's skbuff coalescing mechanism when using page_pool fragment recycling. This allows memory corruption when network packets are processed, potentially leading to system crashes or arbitrary code execution. Affects Linux systems using page_pool with specific network drivers like hns3.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel memory corruption leading to arbitrary code execution with kernel privileges, system crashes, or data corruption.
Likely Case
System instability, kernel panics, or IOMMU faults causing network disruption and potential denial of service.
If Mitigated
Limited to specific network configurations; systems not using page_pool fragment recycling or affected drivers remain unaffected.
🎯 Exploit Status
Exploitation requires specific network traffic patterns to trigger the coalescing bug and depends on driver/page_pool configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in stable kernel versions via commits: 1effe8ca4e34c34cdd9318436a4232dcb582ebf4, 72bb856d16e883437023ff2ff77d0c498018728a, ba965e8605aee5387cecaa28fcf7ee9f61779a49, c4fa19615806a9a7e518c295b39175aa47a685ac
Vendor Advisory: https://git.kernel.org/stable/c/1effe8ca4e34c34cdd9318436a4232dcb582ebf4
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable page_pool fragment recycling
LinuxPrevent the vulnerable code path by disabling page_pool fragment recycling feature
echo 0 > /sys/module/page_pool/parameters/recycle_fragments
🧯 If You Can't Patch
- Disable affected network drivers or use alternative drivers
- Implement network segmentation to limit exposure to potentially malicious traffic
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if page_pool fragment recycling is enabled: cat /sys/module/page_pool/parameters/recycle_fragmentsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is updated to patched version and check dmesg for any page_pool related errors after network activity📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- IOMMU fault messages in dmesg
- Page allocation failure messages
Network Indicators:
- Unexpected network interface resets
- Increased packet loss on affected interfaces
SIEM Query:
source="kernel" AND ("page_pool" OR "skbuff" OR "use-after-free")