CVE-2022-49967
📋 TL;DR
This CVE describes a race condition vulnerability in the Linux kernel's BPF subsystem where concurrent reading and writing of the bpf_jit_limit sysctl parameter could cause load-tearing. This affects systems running vulnerable Linux kernel versions with BPF JIT enabled. Attackers could potentially read inconsistent values, though exploitation requires local access.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could exploit the race condition to cause kernel instability or read inconsistent bpf_jit_limit values, potentially affecting BPF program execution stability.
Likely Case
Most likely impact is minimal - inconsistent reads of bpf_jit_limit value causing potential confusion in system monitoring or management tools.
If Mitigated
With proper access controls limiting local user privileges, the impact is negligible as exploitation requires local access to modify sysctl parameters.
🎯 Exploit Status
Exploitation requires precise timing to trigger the race condition and local access to modify sysctl parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel trees via commits: 0947ae1121083d363d522ff7518ee72b55bd8d29 and ba632ad0bacb13197a8f38e7526448974e87f292
Vendor Advisory: https://git.kernel.org/stable/c/0947ae1121083d363d522ff7518ee72b55bd8d29
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable BPF JIT
linuxDisable BPF JIT compilation to mitigate the vulnerability
echo 0 > /proc/sys/net/core/bpf_jit_enable
Restrict sysctl access
linuxLimit write access to bpf_jit_limit sysctl parameter
chmod 644 /proc/sys/net/core/bpf_jit_limit
set appropriate SELinux/AppArmor policies
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges
- Monitor for unusual sysctl modification attempts and kernel logs for related errors
🔍 How to Verify
Check if Vulnerable:
Check kernel version against your distribution's security advisories. Vulnerable if running unpatched kernel with BPF JIT enabled.Check Version:
uname -rVerify Fix Applied:
Verify kernel version matches patched release from your distribution. Check that cat /proc/sys/net/core/bpf_jit_limit doesn't show inconsistent values during concurrent access testing.📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing BPF-related errors or warnings
- Audit logs showing unauthorized sysctl modifications
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
Search for kernel messages containing 'bpf_jit_limit' or sysctl modification attempts in audit logs