CVE-2022-49796
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's tracing subsystem allows local attackers to cause a kernel panic (denial of service) by triggering a specific error condition during kprobe event generation. This affects systems with kernel tracing enabled and requires local access to exploit. The vulnerability is in the kprobe_event_gen_test_exit() function when test_gen_kprobe_cmd() fails.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
Local denial of service through kernel panic when malicious users trigger the specific error path.
If Mitigated
Minimal impact if kernel tracing is disabled or proper access controls prevent local users from loading modules.
🎯 Exploit Status
Exploitation requires local access and ability to trigger the specific error path in kprobe event generation. The vulnerability was discovered through code review and fixed before widespread exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 22ea4ca9631eb137e64e5ab899e9c89cb6670959, 28a54854a95923b6266a9479ad660ca2cc0e1d5f, 510c12f93674ea0a1423b24f36c67357168a262a, e57daa750369fedbf678346aec724a43b9a51749
Vendor Advisory: https://git.kernel.org/stable/c/22ea4ca9631eb137e64e5ab899e9c89cb6670959
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for specific patched kernel versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable kernel tracing
linuxDisable kernel tracing functionality to prevent exploitation of this vulnerability
echo 0 > /sys/kernel/debug/tracing/events/kprobes/enable
echo 0 > /sys/kernel/debug/tracing/tracing_on
Restrict module loading
linuxPrevent unauthorized users from loading kernel modules that could trigger the vulnerability
sysctl -w kernel.modules_disabled=1
echo 1 > /proc/sys/kernel/modules_disabled
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from loading kernel modules or accessing tracing functionality
- Monitor system logs for kernel panic events and unauthorized module loading attempts
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if tracing is enabled: uname -r && lsmod | grep -i trace && cat /sys/kernel/debug/tracing/tracing_onCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched: uname -r and check with distribution vendor for specific patched versions📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- NULL pointer dereference errors
- Modules with 'kprobe' in name being loaded
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "kprobe_event_gen_test" OR "Oops:")