CVE-2022-49870
📋 TL;DR
This CVE addresses an undefined behavior vulnerability in the Linux kernel's capabilities subsystem where shifting a signed 32-bit integer by 31 bits could cause undefined behavior. The vulnerability affects Linux systems and could potentially lead to kernel crashes or unexpected behavior when handling capability masks. It requires local access to exploit via the prctl system call.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system crash leading to denial of service, or potential privilege escalation if the undefined behavior can be manipulated to bypass capability checks.
Likely Case
System instability or kernel crash when specific prctl operations are performed, requiring local access to trigger.
If Mitigated
Minimal impact with proper kernel hardening and limited user access; the undefined behavior is fixed to prevent potential crashes.
🎯 Exploit Status
Exploitation requires local access and understanding of kernel capabilities; primarily a stability/DoS issue rather than direct privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 151dc8087b5609e53b069c068e3f3ee100efa586, 27bdb134c043ff32c459d98f16550d0ffa0b3c34, 46653972e3ea64f79e7f8ae3aa41a4d3fdb70a13, 5661f111a1616ac105ec8cec81bff99b60f847ac, 5b79fa628e2ab789e629a83cd211ef9b4c1a593e
Vendor Advisory: https://git.kernel.org/stable/c/151dc8087b5609e53b069c068e3f3ee100efa586
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for specific patched kernel versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Restrict prctl system call
linuxUse seccomp or other security mechanisms to restrict prctl system call usage
# Use seccomp profiles or SELinux/AppArmor to restrict prctl
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges
- Monitor system logs for kernel panic or UBSAN warnings related to capabilities
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with distribution security advisories; examine if kernel contains the vulnerable CAP_TO_MASK codeCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits; check that UBSAN warnings no longer appear for capabilities shift operations📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- UBSAN warnings about shift-out-of-bounds in security/commoncap.c
- System crash reports
Network Indicators:
- None - local exploitation only
SIEM Query:
Search for: 'UBSAN: shift-out-of-bounds' OR 'cap_task_prctl' in kernel logs🔗 References
- https://git.kernel.org/stable/c/151dc8087b5609e53b069c068e3f3ee100efa586
- https://git.kernel.org/stable/c/27bdb134c043ff32c459d98f16550d0ffa0b3c34
- https://git.kernel.org/stable/c/46653972e3ea64f79e7f8ae3aa41a4d3fdb70a13
- https://git.kernel.org/stable/c/5661f111a1616ac105ec8cec81bff99b60f847ac
- https://git.kernel.org/stable/c/5b79fa628e2ab789e629a83cd211ef9b4c1a593e
- https://git.kernel.org/stable/c/65b0bc7a0690861812ade523d19f82688ab819dc
- https://git.kernel.org/stable/c/dbaab08c8677d598244d21afb7818e44e1c5d826
- https://git.kernel.org/stable/c/fcbd2b336834bd24e1d9454ad5737856470c10d7
