CVE-2022-49390
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's MACsec implementation where a network device (real_dev) can be freed while still being referenced by a MACsec device, leading to memory corruption. It affects Linux systems using MACsec network encryption. Attackers with local access could potentially crash the system or execute arbitrary code.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to kernel-level code execution, potentially leading to full system compromise.
Likely Case
Kernel panic or system crash causing denial of service.
If Mitigated
Limited impact if MACsec is not configured or if proper access controls prevent local attackers from creating MACsec devices.
🎯 Exploit Status
Requires local access and ability to create MACsec network devices. Exploitation requires kernel memory manipulation knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 196a888ca657, 78933cbc143b, or d130282179aa
Vendor Advisory: https://git.kernel.org/stable/c/196a888ca6571deb344468e1d7138e3273206335
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable MACsec module
LinuxPrevent loading of MACsec kernel module if not needed
echo 'install macsec /bin/false' >> /etc/modprobe.d/disable-macsec.conf
rmmod macsec 2>/dev/null || true
Restrict MACsec device creation
LinuxUse Linux capabilities or SELinux/AppArmor to prevent unauthorized users from creating network devices
🧯 If You Can't Patch
- Restrict local user access to prevent unauthorized users from creating network devices
- Implement strict SELinux/AppArmor policies to block MACsec device creation
🔍 How to Verify
Check if Vulnerable:
Check if MACsec module is loaded: lsmod | grep macsec. Check kernel version against distribution security advisories.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or is newer than vulnerable versions. Check with: uname -r📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- KASAN use-after-free reports in dmesg
- MACsec-related crash reports
Network Indicators:
- Unexpected MACsec device creation
- Network interface anomalies
SIEM Query:
source="kernel" AND ("KASAN" OR "use-after-free" OR "macsec" OR "BUG:")