CVE-2022-49878
📋 TL;DR
This is a memory leak vulnerability in the Linux kernel's BPF verifier. When krealloc() fails during array reallocation for stack state, the original memory allocation isn't properly freed, causing a kernel memory leak. This affects systems running vulnerable Linux kernel versions with BPF functionality enabled.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could lead to kernel memory exhaustion, causing system instability, denial of service, or potential kernel crashes.
Likely Case
Memory leak gradually consumes kernel memory over time, potentially leading to performance degradation or system instability during extended BPF operations.
If Mitigated
With proper kernel memory management and monitoring, impact is limited to minor performance issues that can be detected and addressed.
🎯 Exploit Status
Exploitation requires ability to load BPF programs, which typically requires CAP_BPF or CAP_SYS_ADMIN capabilities. This is not a remote code execution vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel trees (see references for specific commits)
Vendor Advisory: https://git.kernel.org/stable/c/06615967d4889b08b19ff3dda96e8b131282f73d
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution's repositories. 2. Rebuild kernel if using custom kernel. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable BPF functionality
linuxDisable BPF subsystem to prevent exploitation
echo 0 > /proc/sys/kernel/bpf_stats_enabled
Consider removing BPF-related kernel modules if not needed
Restrict BPF capabilities
linuxLimit which users can load BPF programs using Linux capabilities
setcap -r /path/to/binary
Use capability bounding sets to restrict CAP_BPF
🧯 If You Can't Patch
- Implement strict capability controls to prevent unauthorized BPF program loading
- Monitor kernel memory usage and implement alerts for abnormal consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check kernel version and verify if patches from references are applied. Use 'uname -r' and compare with distribution security advisories.Check Version:
uname -rVerify Fix Applied:
Verify kernel version after update matches patched version. Check that BPF functionality still works correctly.📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages
- Memory allocation failures in kernel logs
- BPF program loading errors
Network Indicators:
- Not applicable - this is a local kernel vulnerability
SIEM Query:
Search for kernel logs containing 'bpf', 'krealloc', or memory allocation errors