Login Sign Up

CVE-2022-49197

5.5 MEDIUM
Denial of Service

📋 TL;DR

This is a Linux kernel vulnerability in the netlink subsystem where an out-of-bounds shift occurs when processing multicast group IDs above 32. This can cause undefined behavior including potential kernel crashes or incorrect group membership reporting. It affects Linux systems using netlink sockets with multicast groups.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Kernel versions before the fix commits (specific versions vary by distribution)
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires netlink socket usage with multicast groups >= 32. Triggered by specific operations like bridge monitoring.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash leading to denial of service, potentially exploitable for privilege escalation if combined with other vulnerabilities.

🟠

Likely Case

Kernel crash or system instability when specific netlink multicast operations are performed, resulting in denial of service.

🟢

If Mitigated

Minor system instability or incorrect group reporting that doesn't affect core functionality.

🌐 Internet-Facing: LOW - Requires local access or specific network configurations to trigger.
🏢 Internal Only: MEDIUM - Can be triggered by local users or network services using netlink sockets.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Proof of concept exists in the CVE description. Requires local access or ability to trigger specific netlink operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits: 0caf6d9922192dd1afa8dc2131abfb4df1443b9f, 41249fff507387c3323b198d0052faed08b14de4, 7409ff6393a67ff9838d0ae1bd102fb5f020d07a, ac5883a8890a11c00b32a19949a25d4afeaa2f5a, b0898362188e05b2202656058cc32d98fabf3bac

Vendor Advisory: https://git.kernel.org/stable/c/0caf6d9922192dd1afa8dc2131abfb4df1443b9f

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable bridge monitoring

linux

Prevent triggering the vulnerability by avoiding bridge vlan monitoring operations

Avoid running: bridge monitor vlan
Avoid: ip link add name br type bridge with monitoring

Use NETLINK_PKTINFO for high groups

linux

Configure applications to use nl_pktinfo control messages for groups >= 32 as recommended

Set NETLINK_PKTINFO socket option in applications

🧯 If You Can't Patch

  • Restrict local user access to systems using netlink sockets
  • Monitor for bridge monitoring commands and block them

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with patched versions from your distribution. Vulnerable if using kernel before fix commits.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes one of the fix commits: 0caf6d9922192dd1afa8dc2131abfb4df1443b9f or related commits

📡 Detection & Monitoring

Log Indicators:

  • Kernel logs showing: UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c
  • System crash logs related to netlink operations

Network Indicators:

  • Netlink socket traffic with high group IDs
  • Bridge monitoring network traffic

SIEM Query:

search 'UBSAN shift-out-of-bounds af_netlink' OR 'bridge monitor vlan' in system logs

📊 Metadata

CVE ID: CVE-2022-49197
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-190
EPSS Score: 0.05% exploit probability (16.2th percentile)
Published: February 26, 2025
Last Updated: September 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49197, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)