CVE-2022-49840
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's BPF subsystem that occurs when bpf_prog_test_run_skb() receives odd-sized data from user space. It allows local attackers to cause kernel memory corruption, potentially leading to privilege escalation or denial of service. Systems running affected Linux kernel versions with BPF enabled are vulnerable.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, kernel panic causing system crash, or arbitrary code execution in kernel context.
Likely Case
Kernel crash leading to denial of service, system instability, or information disclosure from kernel memory.
If Mitigated
Limited impact if BPF is disabled or access to BPF syscalls is restricted via capabilities/seccomp.
🎯 Exploit Status
Exploitation requires local access and ability to load BPF programs. The syzkaller fuzzer discovered this issue, suggesting reliable exploitation may be possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions received fixes (see git.kernel.org references)
Vendor Advisory: https://git.kernel.org/stable/c/047824a730699c6c66df43306b80f700c9dfc2fd
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable BPF syscall
linuxPrevent loading of BPF programs by restricting BPF syscall access
sysctl -w kernel.unprivileged_bpf_disabled=1
Add kernel.unprivileged_bpf_disabled=1 to /etc/sysctl.conf
Use seccomp to block bpf() syscall
linuxUse seccomp filters to prevent BPF program loading
Implement seccomp policy that blocks __NR_bpf (321 on x86_64)
🧯 If You Can't Patch
- Restrict user access to BPF functionality via capabilities (CAP_BPF, CAP_SYS_ADMIN)
- Implement mandatory access control (SELinux/AppArmor) to restrict BPF usage
🔍 How to Verify
Check if Vulnerable:
Check kernel version against distribution security advisories. Test with: cat /proc/versionCheck Version:
uname -rVerify Fix Applied:
Verify kernel version matches patched release from your distribution. Check that bpf_prog_test_run_skb alignment fix is present in kernel source.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- KFENCE error messages about use-after-free in __skb_clone
- OOM killer activity related to BPF programs
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="kernel" AND ("KFENCE" OR "use-after-free" OR "skb_clone")🔗 References
- https://git.kernel.org/stable/c/047824a730699c6c66df43306b80f700c9dfc2fd
- https://git.kernel.org/stable/c/1b597f2d6a55e9f549989913860ad5170da04964
- https://git.kernel.org/stable/c/730fb1ef974a13915bc7651364d8b3318891cd70
- https://git.kernel.org/stable/c/7a704dbfd3735304e261f2787c52fbc7c3884736
- https://git.kernel.org/stable/c/d3fd203f36d46aa29600a72d57a1b61af80e4a25
- https://git.kernel.org/stable/c/e60f37a1d379c821c17b08f366412dce9ef3d99f
- https://git.kernel.org/stable/c/eaa8edd86514afac9deb9bf9a5053e74f37edf40
