CVE-2022-49228
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's BPF subsystem allows local attackers to cause a denial of service (kernel panic) by triggering a crash when processing specially crafted BPF Type Format (BTF) data. This affects systems running vulnerable Linux kernel versions with BPF enabled. The vulnerability requires local access to exploit.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local attacker causes kernel panic leading to system crash and denial of service, potentially disrupting critical services.
Likely Case
Local user or malicious process triggers kernel crash, causing temporary system unavailability until reboot.
If Mitigated
With proper access controls and kernel hardening, impact is limited to denial of service from authorized users only.
🎯 Exploit Status
Syzbot reported the bug with a working reproducer. Exploitation requires ability to load BPF programs, which typically requires CAP_BPF or similar capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with fixes from the referenced commits
Vendor Advisory: https://git.kernel.org/stable/c/796d5666f6422ddadc938fb888044fcc16f2dbe3
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing fixes. 2. Check distribution security advisories for backported patches. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Restrict BPF access
linuxLimit BPF subsystem access to prevent exploitation
sysctl -w kernel.unprivileged_bpf_disabled=1
capsh --drop=cap_bpf -- -c "your_command"
Disable BPF JIT
linuxDisable BPF Just-In-Time compilation to reduce attack surface
sysctl -w net.core.bpf_jit_enable=0
🧯 If You Can't Patch
- Implement strict capability controls to prevent unauthorized users from loading BPF programs
- Monitor for crash reports and kernel panics related to BPF operations
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if BPF is enabled: uname -r && sysctl kernel.unprivileged_bpf_disabledCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and test with known safe BPF program loads📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- BPF-related crash reports in dmesg
- System crash/reboot events
Network Indicators:
- None - local exploitation only
SIEM Query:
source="kernel" AND ("general protection fault" OR "KASAN: null-ptr-deref" OR "BPF" AND "crash")