Login Sign Up

CVE-2022-49779

7.8 HIGH

📋 TL;DR

This Linux kernel vulnerability involves improper handling of kprobes (kernel probes) when unregistering ftrace-based probes, potentially causing use-after-free conditions. It affects Linux systems using kprobes functionality, primarily impacting administrators and developers working with kernel debugging or monitoring tools. The vulnerability could lead to kernel crashes or privilege escalation.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Linux kernel versions before the fix commits (specific versions vary by distribution, but generally affects 6.1.x and earlier versions with kprobes functionality)
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when kprobes functionality is used, particularly with ftrace-based probes. Systems not using kprobes or ftrace are not affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential privilege escalation to root if an attacker can trigger the use-after-free condition to execute arbitrary code in kernel context.

🟠

Likely Case

System instability, kernel crashes, or denial of service when unloading kernel modules that use kprobes with ftrace.

🟢

If Mitigated

Minimal impact if kprobes functionality is not used or if systems are properly patched.

🌐 Internet-Facing: LOW - This vulnerability requires local access and specific kernel module operations to trigger.
🏢 Internal Only: MEDIUM - Internal users with sufficient privileges could potentially exploit this to crash systems or escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH - Requires local access, specific knowledge of kprobes, and ability to load/unload kernel modules.

Exploitation requires loading specific kernel modules that use kprobes with ftrace, then unloading them in a particular way to trigger the bug.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in Linux kernel commits: 55788ebbe8b365b4375bd56b4ba7db79d393a370, 5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb, 7b0007b28dd970176f2e297c06ae63eea2447127, 7d606ae1abcc3eab5408e42444d789dc7def51b8, c49cc2c059b503e962c2f13a806c105f9b757df4

Vendor Advisory: https://git.kernel.org/stable/c/55788ebbe8b365b4375bd56b4ba7db79d393a370

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your Linux distribution vendor. 2. For custom kernels, apply the relevant kernel commits. 3. Reboot the system to load the new kernel.

🔧 Temporary Workarounds

Disable kprobes functionality

linux

Prevent loading of kprobes modules to mitigate the vulnerability

echo 'blacklist kprobes' >> /etc/modprobe.d/blacklist.conf
rmmod kprobes

Restrict kernel module loading

linux

Prevent unauthorized users from loading kernel modules

sysctl -w kernel.modules_disabled=1

🧯 If You Can't Patch

  • Restrict access to users who can load/unload kernel modules
  • Monitor for attempts to load kprobes-related modules

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if kprobes modules are loaded: uname -r && lsmod | grep -i kprobe

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and test kprobes functionality with a simple test module

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • WARN messages about kprobe-ftrace in dmesg
  • Failed to disarm kprobe-ftrace errors

Network Indicators:

  • None - this is a local kernel vulnerability

SIEM Query:

Search for: 'Failed to disarm kprobe-ftrace' OR 'WARNING.*kprobes' in kernel logs

📊 Metadata

CVE ID: CVE-2022-49779
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.02% exploit probability (5.8th percentile)
Published: May 1, 2025
Last Updated: November 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49779, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)