Login Sign Up

CVE-2022-49667

7.8 HIGH
Denial of Service

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's bonding driver that occurs when unbinding a slave interface in 802.3ad (LACP) mode. It allows attackers with local access to potentially crash the kernel or execute arbitrary code. Systems using Linux kernel bonding with 802.3ad mode are affected.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions between commit 0622cab0341c and the fix commits
Operating Systems: All Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using network bonding with 802.3ad (LACP) mode enabled and slave interfaces are being unbound.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel crash leading to denial of service, or potential privilege escalation and arbitrary code execution in kernel context.

🟠

Likely Case

Kernel panic and system crash causing denial of service.

🟢

If Mitigated

No impact if bonding is not used or 802.3ad mode is disabled.

🌐 Internet-Facing: LOW - Requires local access to the system.
🏢 Internal Only: MEDIUM - Local attackers or compromised services could exploit this to crash systems or potentially escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to manipulate network bonding interfaces. Exploitation would require understanding of kernel memory management.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 050133e1aa2c, 2765749def47, 63b2fe509f69, 893825289ba8, a853b7a3a9fd

Vendor Advisory: https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Reboot the system to load the new kernel. 3. Verify the fix is applied by checking kernel version.

🔧 Temporary Workarounds

Disable 802.3ad bonding mode

all

Switch bonding to a different mode that doesn't use 802.3ad/LACP

ip link set bond0 down
echo "mode=balance-rr" > /sys/class/net/bond0/bonding/mode
ip link set bond0 up

Disable bonding entirely

all

Remove bonding configuration if not required

systemctl stop NetworkManager
rm /etc/sysconfig/network-scripts/ifcfg-bond*
systemctl start NetworkManager

🧯 If You Can't Patch

  • Avoid unbinding slave interfaces from 802.3ad bond groups
  • Monitor systems for kernel panics related to bonding driver

🔍 How to Verify

Check if Vulnerable:

Check if bonding is configured with 802.3ad mode: cat /proc/net/bonding/bond0 | grep 'Bonding Mode'

Check Version:

uname -r

Verify Fix Applied:

Check kernel version contains fix commits: uname -r and verify with distribution patch notes

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • KASAN reports of use-after-free in bond_3ad_state_machine_handler
  • System crashes when modifying network bonding

Network Indicators:

  • Unexpected network interface failures
  • Bonding interface degradation

SIEM Query:

event_source="kernel" AND (message CONTAINS "bond_3ad" OR message CONTAINS "KASAN: use-after-free")

📊 Metadata

CVE ID: CVE-2022-49667
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.04% exploit probability (10.3th percentile)
Published: February 26, 2025
Last Updated: March 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49667, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)