CVE-2022-49535
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's lpfc SCSI driver allows local attackers to cause a kernel panic or potentially execute arbitrary code. This affects systems using Linux kernels with the lpfc driver for Emulex Fibre Channel adapters. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Linux kernel with lpfc driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, or potential privilege escalation to kernel-level code execution.
Likely Case
Kernel panic causing system crash and denial of service.
If Mitigated
No impact if patched or if lpfc driver is not loaded/used.
🎯 Exploit Status
Requires local access and knowledge of triggering the specific FLOGI/PLOGI failure conditions in the lpfc driver.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 10663ebec0ad5c78493a0dd34c9ee4d73d7ca0df, 577a942df3de2666f6947bdd3a5c9e8d30073424, c7dc74ab7975c9b96284abfe4cca756d75fa4604 or later
Vendor Advisory: https://git.kernel.org/stable/c/10663ebec0ad5c78493a0dd34c9ee4d73d7ca0df
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify lpfc driver is updated.
🔧 Temporary Workarounds
Unload lpfc driver
LinuxRemove the vulnerable driver if not needed
modprobe -r lpfc
Blacklist lpfc driver
LinuxPrevent lpfc driver from loading at boot
echo 'blacklist lpfc' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Restrict local user access to systems using lpfc driver
- Monitor for kernel panic events and investigate root causes
🔍 How to Verify
Check if Vulnerable:
Check if lpfc module is loaded: lsmod | grep lpfc. Check kernel version: uname -r and compare with patched versions from your distribution.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and lpfc module loads without issues during Fibre Channel operations.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- lpfc driver error messages related to FLOGI/PLOGI failures
Network Indicators:
- Fibre Channel connectivity issues on affected systems
SIEM Query:
search 'kernel panic' OR 'lpfc' AND ('FLOGI' OR 'PLOGI' OR 'use-after-free')