CVE-2022-49863
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's CAN (Controller Area Network) subsystem allows local attackers to crash the kernel by creating specific network device configurations. This affects systems using CAN networking with bond and vxcan devices. The vulnerability requires local access to create network sockets and devices.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
Local denial of service through kernel crash when malicious users create specific CAN socket configurations.
If Mitigated
Minimal impact with proper access controls preventing unprivileged users from creating network devices.
🎯 Exploit Status
Exploit requires local access and knowledge of specific syscall sequences. The provided description includes the exact exploit steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 261178a1c2623077d62e374a75c195e6c99a6f05, 8aa59e355949442c408408c2d836e561794c40a1, a8055677b054bc2bb78beb1080fdc2dc5158c2fe, afab4655750fcb3fca359bc7d7214e3d634cdf9c, d68fa77ee3d03bad6fe84e89759ddf7005f9e9c6
Vendor Advisory: https://git.kernel.org/stable/c/261178a1c2623077d62e374a75c195e6c99a6f05
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check distribution security advisories for specific patched versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Restrict network device creation
linuxLimit ability to create bond and vxcan devices to privileged users only
# Use capabilities or sudo restrictions
# Configure user/group permissions on network device creation
Disable CAN module if unused
linuxRemove or blacklist CAN kernel modules if not required
# Blacklist CAN modules
echo 'blacklist can' >> /etc/modprobe.d/blacklist.conf
echo 'blacklist can_raw' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Implement strict access controls to prevent unprivileged users from creating network sockets and devices
- Monitor for suspicious network device creation activities and syscall patterns
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if CAN modules are loaded: 'lsmod | grep can' and 'uname -r'Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or check with distribution-specific security tools📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- NULL pointer dereference errors in dmesg
- CAN-related crash reports
Network Indicators:
- Unusual bond+vxcan device creation patterns
- Multiple CAN socket creation attempts
SIEM Query:
search 'kernel: BUG:' OR 'kernel: Oops:' OR 'NULL pointer dereference' AND 'can_rx_register'🔗 References
- https://git.kernel.org/stable/c/261178a1c2623077d62e374a75c195e6c99a6f05
- https://git.kernel.org/stable/c/8aa59e355949442c408408c2d836e561794c40a1
- https://git.kernel.org/stable/c/a8055677b054bc2bb78beb1080fdc2dc5158c2fe
- https://git.kernel.org/stable/c/afab4655750fcb3fca359bc7d7214e3d634cdf9c
- https://git.kernel.org/stable/c/d68fa77ee3d03bad6fe84e89759ddf7005f9e9c6
