CVE-2022-50014
📋 TL;DR
This Linux kernel vulnerability allows unprivileged users to bypass write permissions on tmpfs/shmem files, enabling unauthorized modification of file content. It affects systems using userfaultfd minor mode on x86_64 and aarch64 architectures. The issue stems from improper handling of FOLL_FORCE operations on copy-on-write mappings.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Unauthorized modification of sensitive tmpfs/shmem files, bypassing memfd write sealing, potentially leading to privilege escalation or data corruption.
Likely Case
Local users modifying shared memory files they shouldn't have write access to, potentially affecting multi-user systems or container environments.
If Mitigated
Limited impact if proper access controls and isolation are in place, though the bypass capability remains concerning.
🎯 Exploit Status
Requires local access and knowledge of the vulnerability. Similar to Dirty COW exploitation patterns but restricted to tmpfs/shmem.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits 5535be309971 and 9def52eb10ba
Vendor Advisory: https://git.kernel.org/stable/c/5535be3099717646781ce1540cf725965d680e7b
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing fixes 2. Reboot system 3. Verify kernel version after reboot
🔧 Temporary Workarounds
Disable userfaultfd
linuxDisable userfaultfd system call which is required for exploitation
sysctl -w vm.unprivileged_userfaultfd=0
Restrict userfaultfd to privileged users
linuxOnly allow root to use userfaultfd
echo 0 > /proc/sys/vm/unprivileged_userfaultfd
🧯 If You Can't Patch
- Implement strict access controls on tmpfs/shmem directories
- Monitor for unusual file modification patterns in /dev/shm and tmpfs mounts
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if userfaultfd is enabled: cat /proc/sys/vm/unprivileged_userfaultfdCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test with proof-of-concept if available📡 Detection & Monitoring
Log Indicators:
- Unusual file modifications in /dev/shm
- Multiple userfaultfd system calls from non-privileged users
Network Indicators:
- None - local vulnerability only
SIEM Query:
Process monitoring for userfaultfd calls combined with file modification events in tmpfs locations