CVE-2022-49985
📋 TL;DR
This is a Linux kernel vulnerability in the BPF subsystem where improper bounds checking for array poke descriptors could lead to out-of-bounds memory access. It allows local attackers to potentially cause kernel crashes or achieve privilege escalation. Systems running affected Linux kernel versions with BPF enabled are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise via kernel memory corruption
Likely Case
Kernel panic or system crash causing denial of service
If Mitigated
Limited impact if BPF is disabled or proper kernel hardening is in place
🎯 Exploit Status
Exploitation requires local access and ability to load BPF programs. The KASAN report suggests the vulnerability was discovered through fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 4f672112f866, a36df92c7ff7, a657182a5c51, e89798071784
Vendor Advisory: https://git.kernel.org/stable/c/4f672112f8665102a5842c170be1713f8ff95919
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable BPF subsystem
linuxPrevents loading of BPF programs which mitigates the vulnerability
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
sysctl -w kernel.unprivileged_bpf_disabled=1
Restrict BPF capabilities
linuxLimit which users can load BPF programs using Linux capabilities
setcap -r /path/to/binary
Use Linux Security Modules (LSM) like SELinux or AppArmor to restrict BPF
🧯 If You Can't Patch
- Implement strict capability controls to prevent unprivileged users from loading BPF programs
- Use kernel hardening features like KASLR and stack protection to reduce exploit impact
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if it contains the fix commits: uname -r && grep -q '4f672112f866\|a36df92c7ff7\|a657182a5c51\|e89798071784' /proc/versionCheck Version:
uname -rVerify Fix Applied:
Verify kernel version after update and ensure fix commits are present in kernel source📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- KASAN reports mentioning bpf_int_jit_compile
- System crashes related to BPF operations
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
source="kernel" AND ("KASAN" OR "slab-out-of-bounds" OR "bpf_int_jit_compile")