CVE-2022-49455
📋 TL;DR
This CVE describes a double-free vulnerability in the Linux kernel's ocxl driver, which could lead to memory corruption and potential kernel panic or privilege escalation. It affects systems using the OpenCAPI (Open Coherent Accelerator Processor Interface) functionality. Attackers with local access could exploit this to crash the system or execute arbitrary code.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, kernel panic causing system crash, or arbitrary code execution in kernel context.
Likely Case
Kernel panic leading to denial of service (system crash) when malicious users trigger the vulnerable code path.
If Mitigated
No impact if proper access controls prevent local users from accessing ocxl device files or if the module isn't loaded.
🎯 Exploit Status
Requires local access and ability to interact with ocxl device files. Exploitation requires triggering specific error conditions during AFU registration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 252768d32e92c1214aeebb5fec0844ca479bcf5c, 8fb674216835e1f0c143762696d645facebb4685, 950cf957fe34d40d63dfa3bf3968210430b6491e, 9e9087cf34ee69f4e95d146ac29385d6e367a97b, de65c32ace9aa70d51facc61ba986607075e3a25
Vendor Advisory: https://git.kernel.org/stable/c/252768d32e92c1214aeebb5fec0844ca479bcf5c
Restart Required: Yes
Instructions:
1. Update to a kernel version containing the fix commits. 2. Check your distribution's security advisories for patched kernel packages. 3. Reboot to load the new kernel.
🔧 Temporary Workarounds
Unload ocxl module
LinuxPrevent loading of the vulnerable driver module if not needed
rmmod ocxl
echo 'blacklist ocxl' >> /etc/modprobe.d/blacklist.conf
Restrict device file access
LinuxLimit access to ocxl device files to prevent exploitation
chmod 600 /dev/ocxl/*
chown root:root /dev/ocxl/*
🧯 If You Can't Patch
- Ensure strict access controls to prevent local users from accessing ocxl functionality
- Monitor system logs for crashes or unusual ocxl-related activity
🔍 How to Verify
Check if Vulnerable:
Check if ocxl module is loaded: lsmod | grep ocxl. If loaded, check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or check with distribution's security tools. Confirm ocxl module functions normally after patch.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- ocxl driver error messages in dmesg
- System crash/reboot logs
Network Indicators:
- None - local exploitation only
SIEM Query:
Search for: 'kernel panic', 'ocxl', 'double free', 'general protection fault' in system logs🔗 References
- https://git.kernel.org/stable/c/252768d32e92c1214aeebb5fec0844ca479bcf5c
- https://git.kernel.org/stable/c/8fb674216835e1f0c143762696d645facebb4685
- https://git.kernel.org/stable/c/950cf957fe34d40d63dfa3bf3968210430b6491e
- https://git.kernel.org/stable/c/9e9087cf34ee69f4e95d146ac29385d6e367a97b
- https://git.kernel.org/stable/c/de65c32ace9aa70d51facc61ba986607075e3a25
- https://git.kernel.org/stable/c/ee89d8dee55ab4b3b8ad8b70866b2841ba334767
