CVE-2022-49853
📋 TL;DR
This is a memory leak vulnerability in the Linux kernel's macvlan driver that occurs when creating macvlan interfaces in 'source' mode. If the network device registration fails after source MAC addresses have been configured, the kernel fails to clean up allocated memory, leading to gradual memory exhaustion. This affects Linux systems using macvlan interfaces in source mode.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could lead to kernel memory exhaustion, causing system instability, denial of service, or potential kernel crashes.
Likely Case
Gradual memory leak over time when creating macvlan interfaces in source mode, potentially leading to system performance degradation or out-of-memory conditions.
If Mitigated
Minimal impact if systems don't use macvlan source mode or have memory monitoring in place.
🎯 Exploit Status
Exploitation requires local access and CAP_NET_ADMIN privileges. The vulnerability is triggered by specific ip link commands with error conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 21d3a8b6a1e3, 23569b5652ee, 685e73e3f7a9, 956e0216a199, 9ea003c4671b
Vendor Advisory: https://git.kernel.org/stable/c/21d3a8b6a1e39e7529ce9de07316ee13a63f305b
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for specific patched versions. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Avoid macvlan source mode
linuxPrevent creation of macvlan interfaces in source mode to avoid triggering the vulnerability
# Monitor for macvlan source mode creation
# ip link show type macvlan | grep -i source
Restrict CAP_NET_ADMIN
linuxLimit which users/processes can create network interfaces
# Use capabilities or sudo restrictions
# setcap -r /sbin/ip
# Configure sudoers to restrict ip command
🧯 If You Can't Patch
- Monitor system memory usage and kernel logs for memory leak indicators
- Restrict user access to ip link commands and CAP_NET_ADMIN capabilities
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if macvlan source mode interfaces exist: uname -r && ip link show type macvlanCheck Version:
uname -rVerify Fix Applied:
Verify kernel version contains fix commits or is newer than vulnerable versions📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer messages
- Memory allocation failures in dmesg
- ip command errors when creating macvlan interfaces
Network Indicators:
- Unexpected macvlan interface creation in source mode
SIEM Query:
Process execution: ip link add type macvlan mode source OR Kernel logs: 'macvlan' AND 'memory' OR 'leak'🔗 References
- https://git.kernel.org/stable/c/21d3a8b6a1e39e7529ce9de07316ee13a63f305b
- https://git.kernel.org/stable/c/23569b5652ee8e8e55a12f7835f59af6f3cefc30
- https://git.kernel.org/stable/c/685e73e3f7a9fb75cbf049a9d0b7c45cc6b57b2e
- https://git.kernel.org/stable/c/956e0216a19994443c90ba2ea6b0b284c9c4f9cb
- https://git.kernel.org/stable/c/9ea003c4671b2fc455320ecf6d4a43b0a3c1878a
- https://git.kernel.org/stable/c/9f288e338be206713d79b29144c27fca4503c39b
- https://git.kernel.org/stable/c/a81b44d1df1f07f00c0dcc0a0b3d2fa24a46289e
- https://git.kernel.org/stable/c/a8d67367ab33604326cc37ab44fd1801bf5691ba
