CVE-2022-49697
📋 TL;DR
This CVE describes a memory leak vulnerability in the Linux kernel's BPF subsystem where socket lookup helpers fail to properly release request_socket objects. This causes kernel memory exhaustion over time, potentially leading to denial of service. Systems running affected Linux kernel versions with BPF programs performing socket lookups are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could exhaust kernel memory, causing system instability, crashes, or denial of service requiring reboot.
Likely Case
Gradual memory leak leading to performance degradation and eventual system instability in environments with frequent socket lookups.
If Mitigated
Minimal impact with proper monitoring and memory limits in place.
🎯 Exploit Status
Exploitation requires ability to load and execute BPF programs with socket lookup operations, typically requiring CAP_BPF or similar privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 3046a827316c0e55fc563b4fb78c93b9ca5c7c37, 516760f1d2979903eaad5b437256913c5cd98416, 5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd, 8ffe2e50e9678c8373027492035f094b130437f1, b03607437ea81b850599f705096b05b85e7a4a71
Vendor Advisory: https://git.kernel.org/stable/c/3046a827316c0e55fc563b4fb78c93b9ca5c7c37
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable BPF socket lookup programs
linuxPrevent loading of BPF programs that use sk_lookup helpers
sysctl -w kernel.unprivileged_bpf_disabled=1
Remove or disable BPF programs using socket lookups
🧯 If You Can't Patch
- Monitor kernel memory usage (slabinfo) for request_sock object growth
- Implement system memory limits and restart services if memory exhaustion detected
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if BPF socket lookup programs are running: uname -r and bpftool prog listCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: grep -q '3046a827316c0e55fc563b4fb78c93b9ca5c7c37\|516760f1d2979903eaad5b437256913c5cd98416' /proc/version📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer messages
- System instability logs
- Memory exhaustion warnings
Network Indicators:
- Degraded network performance if BPF programs affected
SIEM Query:
source="kernel" AND ("out of memory" OR "slab" OR "request_sock")🔗 References
- https://git.kernel.org/stable/c/3046a827316c0e55fc563b4fb78c93b9ca5c7c37
- https://git.kernel.org/stable/c/516760f1d2979903eaad5b437256913c5cd98416
- https://git.kernel.org/stable/c/5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd
- https://git.kernel.org/stable/c/8ffe2e50e9678c8373027492035f094b130437f1
- https://git.kernel.org/stable/c/b03607437ea81b850599f705096b05b85e7a4a71
