CVE-2022-49548 – This CVE describes an array overflow vulnerabil... (How to Fix)

Q: What is the severity of CVE-2022-49548?

CVE-2022-49548 has a CVSS score of 7.8 (HIGH). This CVE describes an array overflow vulnerability in the Linux kernel's BPF subsystem. The flaw allows an attacker with local access to exceed the maximum number of BPF_TRAMP_MODIFY_RETURN programs attached to a trampoline, potentially leading to memory corruption. This affects all Linux systems using vulnerable kernel versions with BPF functionality enabled.

📋 TL;DR

This CVE describes an array overflow vulnerability in the Linux kernel's BPF subsystem. The flaw allows an attacker with local access to exceed the maximum number of BPF_TRAMP_MODIFY_RETURN programs attached to a trampoline, potentially leading to memory corruption. This affects all Linux systems using vulnerable kernel versions with BPF functionality enabled.

💻 Affected Systems

Products:

Linux kernel

Versions: Versions before the fix commits listed in references

Operating Systems: All Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CONFIG_BPF_SYSCALL=y and ability to load BPF programs (typically requires CAP_BPF or CAP_SYS_ADMIN capabilities)

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory corruption leading to privilege escalation, denial of service, or arbitrary code execution in kernel context.

🟠

Likely Case

Kernel panic or system crash resulting in denial of service.

🟢

If Mitigated

No impact if BPF functionality is disabled or proper access controls prevent unprivileged users from loading BPF programs.

🌐 Internet-Facing: LOW - This requires local access to exploit.

🏢 Internal Only: MEDIUM - Local attackers or compromised user accounts could exploit this to gain elevated privileges or crash systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to load BPF programs. The vulnerability is in a specific BPF trampoline function that manages program attachments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing the fix commits: 32c4559c61652f24c9fdd5440342196fe37453bc, 4f8897bcc20b9ae44758e0572538d741ab66f0dc, 7f845de2863334bed4f362e95853f5e7bc323737, a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d, e36452d5da6325df7c10cffc60a9e68d21e2606d

Vendor Advisory: https://git.kernel.org/stable/c/32c4559c61652f24c9fdd5440342196fe37453bc

Restart Required: Yes

Instructions:

1. Update to a kernel version containing the fix commits. 2. For distributions: Use package manager to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable BPF functionality

all

Disable BPF syscall to prevent loading of BPF programs that could trigger the vulnerability

sysctl -w kernel.unprivileged_bpf_disabled=1
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled

Restrict BPF capabilities

all

Use Linux capabilities to restrict which users can load BPF programs

setcap -r /usr/bin/bpftool
Remove CAP_BPF and CAP_SYS_ADMIN from non-privileged users

🧯 If You Can't Patch

Restrict user access to systems to prevent local exploitation
Implement strict capability management to prevent unprivileged BPF program loading

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with patched versions from references. Check if BPF functionality is enabled: grep CONFIG_BPF_SYSCALL /boot/config-$(uname -r)

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to include fix commits. Test BPF trampoline functionality with controlled test programs.

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages
System crash/panic logs
Audit logs showing BPF program loading failures

Network Indicators:

None - this is a local vulnerability

SIEM Query:

source="kernel" AND ("Oops" OR "panic" OR "BPF" OR "trampoline")

📊 Metadata

CVE ID: CVE-2022-49548

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-129

EPSS Score: 0.04% exploit probability (10.3th percentile)

Published: February 26, 2025

Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49548, you might also want to check these: