CVE-2022-49798
📋 TL;DR
A race condition in the Linux kernel's tracing subsystem allows eprobes (event probes) to be triggered before event data is fully initialized, leading to a NULL pointer dereference. This affects Linux systems with kernel tracing enabled, potentially causing kernel panics or system crashes. The vulnerability requires local access and specific tracing configurations to be exploitable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially allowing local privilege escalation if combined with other vulnerabilities.
Likely Case
Local denial of service through kernel panic when malicious user triggers the race condition with specific eprobe configurations.
If Mitigated
Minimal impact if kernel tracing is disabled or eprobes are not configured.
🎯 Exploit Status
Requires local access and ability to configure kernel tracing/events. Race condition exploitation requires precise timing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 7291dec4f2d17a2d3fd1f789fb41e58476539f21, 73f5191467ffe3af82f27fe0ea6a8c2fac724d3f, or 94eedf3dded5fb472ce97bfaf3ac1c6c29c35d26
Vendor Advisory: https://git.kernel.org/stable/c/7291dec4f2d17a2d3fd1f789fb41e58476539f21
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable kernel tracing
linuxDisable the kernel tracing subsystem to prevent eprobe configuration
echo 0 > /sys/kernel/debug/tracing/tracing_on
echo 0 > /sys/kernel/debug/tracing/events/enable
Restrict eprobe configuration
linuxUse kernel lockdown mode or capabilities to restrict who can configure tracing
echo integrity > /sys/kernel/security/lockdown
🧯 If You Can't Patch
- Disable kernel tracing subsystem completely
- Implement strict access controls to prevent unauthorized users from configuring eprobes
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if tracing is enabled: uname -r && cat /sys/kernel/debug/tracing/tracing_onCheck Version:
uname -rVerify Fix Applied:
Verify kernel version contains fix commits and test eprobe functionality📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs mentioning NULL pointer dereference in tracing code
- System crash/reboot events with tracing enabled
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("NULL pointer" OR "kernel panic") AND tracing