CVE-2022-49647
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's cgroup subsystem that occurs during process migration between control groups. When multiple threads are moved simultaneously with some performing identity migrations (no actual move) while others move between cgroups, the kernel can incorrectly release memory references, potentially leading to kernel crashes or privilege escalation. All Linux systems using affected kernel versions are vulnerable.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or privilege escalation allowing attackers to gain root access and execute arbitrary code in kernel context.
Likely Case
System instability, kernel crashes, or denial of service due to memory corruption in the cgroup subsystem.
If Mitigated
Limited impact if systems have restricted cgroup operations or minimal process migration activity.
🎯 Exploit Status
Exploitation requires local access and understanding of cgroup operations. The specific sequence of cgroup manipulations described in the CVE is needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commit 05f7658210d1d331e8dd4cb6e7bbbe3df5f5ac27 or later backports
Vendor Advisory: https://git.kernel.org/stable/c/05f7658210d1d331e8dd4cb6e7bbbe3df5f5ac27
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Restrict cgroup operations
allLimit access to cgroup manipulation to trusted users only by restricting permissions on cgroup filesystem.
chmod 750 /sys/fs/cgroup
setfacl -m u:trusteduser:rwx /sys/fs/cgroup
🧯 If You Can't Patch
- Restrict shell access and process management capabilities to minimize attack surface
- Implement strict access controls on /sys/fs/cgroup directory to prevent unauthorized cgroup operations
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with distribution's security advisories. Vulnerable if using unpatched kernel before fix commit.Check Version:
uname -rVerify Fix Applied:
Verify kernel version matches patched release from vendor. Check that commit 05f7658210d1d331e8dd4cb6e7bbbe3df5f5ac27 is present in kernel source.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- OOM killer messages related to cgroup
- System crash/reboot events
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
EventID=41 OR Source="kernel" AND Message="panic" OR Message="Oops"🔗 References
- https://git.kernel.org/stable/c/05f7658210d1d331e8dd4cb6e7bbbe3df5f5ac27
- https://git.kernel.org/stable/c/07fd5b6cdf3cc30bfde8fe0f644771688be04447
- https://git.kernel.org/stable/c/0e41774b564befa6d271e8d5086bf870d617a4e6
- https://git.kernel.org/stable/c/54aee4e5ce8c21555286a6333e46c1713880cf93
- https://git.kernel.org/stable/c/7657e3958535d101a24ab4400f9b8062b9107cc4
- https://git.kernel.org/stable/c/ad44e05f3e016bdcb1ad25af35ade5b5f41ccd68
- https://git.kernel.org/stable/c/cec2bbdcc14fbaa6b95ee15a7c423b05d97038be
