CVE-2022-49622 – This is a use-after-free vulnerability in the L... (How to Fix)

Q: What is the severity of CVE-2022-49622?

CVE-2022-49622 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in the Linux kernel's netfilter subsystem (nf_tables) that occurs when packet tracing is enabled. An attacker could potentially exploit this to cause kernel crashes or execute arbitrary code with kernel privileges. All Linux systems using affected kernel versions with nf_tables and packet tracing enabled are vulnerable.

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's netfilter subsystem (nf_tables) that occurs when packet tracing is enabled. An attacker could potentially exploit this to cause kernel crashes or execute arbitrary code with kernel privileges. All Linux systems using affected kernel versions with nf_tables and packet tracing enabled are vulnerable.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE, but patches exist in stable kernel trees. Likely affects multiple kernel versions before the fix commits.

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when nf_tables packet tracing is enabled. Default configurations typically do not have tracing enabled.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel privilege escalation leading to full system compromise, arbitrary code execution at kernel level, or persistent denial of service.

🟠

Likely Case

Kernel panic or system crash resulting in denial of service, potentially requiring physical access or reboot to restore functionality.

🟢

If Mitigated

No impact if packet tracing is disabled or systems are patched.

🌐 Internet-Facing: MEDIUM - Requires specific conditions (nf_tables with tracing) and network access to trigger, but could be exploited remotely if those conditions exist.

🏢 Internal Only: MEDIUM - Same technical requirements as internet-facing, but requires internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions (nf_tables with tracing enabled) and knowledge of kernel internals. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in stable kernel trees via commits 0016d5d46d7440729a3132f61a8da3bf7f84e2ba and e34b9ed96ce3b06c79bf884009b16961ca478f87

Vendor Advisory: https://git.kernel.org/stable/c/0016d5d46d7440729a3132f61a8da3bf7f84e2ba

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Check with your distribution vendor for specific patched kernel versions. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable nf_tables packet tracing

Linux

Disable the vulnerable feature that triggers the use-after-free condition

echo 0 > /proc/sys/net/netfilter/nf_log_all_netns
sysctl -w net.netfilter.nf_log_all_netns=0

🧯 If You Can't Patch

Disable nf_tables packet tracing via sysctl or procfs
Implement network segmentation to limit exposure to potential exploit traffic

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if nf_tables tracing is enabled: cat /proc/sys/net/netfilter/nf_log_all_netns

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits or check with distribution vendor. Confirm nf_log_all_netns is 0 if using workaround.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
OOPs (kernel crash) logs in /var/log/messages or dmesg
System crash/reboot events

Network Indicators:

Unusual nf_tables rule activity
Suspicious packet patterns targeting netfilter

SIEM Query:

EventID=41 OR Source="kernel" AND Message="Oops" OR Message="kernel panic"

📊 Metadata

CVE ID: CVE-2022-49622

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: February 26, 2025

Last Updated: March 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49622, you might also want to check these: