CVE-2022-49888
📋 TL;DR
This CVE describes a kernel stack overflow vulnerability in the Linux kernel on ARM64 systems with Cortex-A76 CPUs. When the cortex_a76_erratum_1463225_debug_handler() function is probed via kprobes, it can cause recursive exceptions leading to kernel panic and denial of service. This affects Linux systems running on affected ARM64 hardware.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
System crash and denial of service when kprobes are used on vulnerable systems, requiring reboot to restore functionality.
If Mitigated
No impact if kprobes are disabled or the system is not using affected ARM64 hardware.
🎯 Exploit Status
The vulnerability demonstration shows how to trigger it via kprobes. Exploitation requires ability to load kprobes (typically root or CAP_SYS_ADMIN).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 024f4b2e1f874934943eb2d3d288ebc52c79f55c, 71d6c33fe223255f4416a01514da2c0bc3e283e7, db66629d43b2d12cb43b004a4ca6be1d03228e97
Vendor Advisory: https://git.kernel.org/stable/c/024f4b2e1f874934943eb2d3d288ebc52c79f55c
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check your distribution's security advisories for specific patched versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable kprobes
linuxPrevent exploitation by disabling kprobes functionality
echo 0 > /sys/kernel/debug/tracing/events/kprobes/enable
rmmod kprobes if loaded as module
Restrict kprobes usage
linuxLimit which users can use kprobes via capabilities
setcap -r /sys/kernel/debug/tracing/kprobe_events
chmod 600 /sys/kernel/debug/tracing/kprobe_events
🧯 If You Can't Patch
- Disable kprobes functionality entirely
- Restrict access to debugfs and kprobes to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if running on ARM64 Cortex-A76 hardware. Check if kprobes are enabled: cat /sys/kernel/debug/tracing/events/kprobes/enableCheck Version:
uname -rVerify Fix Applied:
Check kernel version contains fix commits or is newer than vulnerable range. Test kprobes functionality to ensure no recursion occurs.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning stack overflow
- Recursive exception traces in kernel logs
- Multiple 'cortex_a76_erratum_1463225_debug_handler' entries in stack traces
Network Indicators:
- Sudden service unavailability without network cause
SIEM Query:
source="kernel" AND ("stack overflow" OR "Kernel panic" OR "cortex_a76_erratum")