CVE-2022-50072
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's NFSv4/pnfs implementation. When an open RPC call is cancelled, the kernel incorrectly frees memory that may still be in use by the hung RPC call, potentially leading to system crashes or arbitrary code execution. This affects Linux systems using NFSv4 with pnfs extensions.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or potential privilege escalation to kernel-level code execution allowing full system compromise.
Likely Case
System instability, crashes, or denial of service affecting NFS operations.
If Mitigated
Limited impact if NFSv4/pnfs is not used or if systems are patched promptly.
🎯 Exploit Status
Exploitation requires specific conditions: NFSv4/pnfs must be active, and an open RPC call must be cancelled. This is a race condition vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 5.19.12 and later stable versions, plus backports to various distribution kernels
Vendor Advisory: https://git.kernel.org/stable/c/2135e5d56278ffdb1c2e6d325dc6b87f669b9dac
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. For Red Hat/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable pnfs
linuxDisable parallel NFS (pnfs) feature in NFSv4 configuration
echo 'options nfs nfs4_disable_idmapping=1' > /etc/modprobe.d/nfs-pnfs.conf
reboot
Use NFSv3 instead
linuxConfigure NFS clients and servers to use NFSv3 instead of NFSv4
On client: mount -t nfs -o vers=3 server:/export /mnt
On server: In /etc/exports, specify options for NFSv3
🧯 If You Can't Patch
- Disable NFSv4 pnfs functionality on all affected systems
- Implement network segmentation to isolate NFS traffic and limit potential impact
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if NFSv4 with pnfs is enabled: uname -r && cat /proc/fs/nfsfs/volumesCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched: uname -r should show 5.19.12 or higher, or distribution-specific patched version📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- NFS-related crashes or hung processes
Network Indicators:
- Unusual NFS traffic patterns or connection resets
SIEM Query:
source="kernel" AND ("panic" OR "Oops" OR "use-after-free") AND ("nfs" OR "pnfs")🔗 References
- https://git.kernel.org/stable/c/0fffb46ff3d5ed4668aca96441ec7a25b793bd6f
- https://git.kernel.org/stable/c/2135e5d56278ffdb1c2e6d325dc6b87f669b9dac
- https://git.kernel.org/stable/c/76ffd2042438769298f34b76102b40dea89de616
- https://git.kernel.org/stable/c/a4cf3dadd1fa43609f7c6570c9116b0e0a9923d1
- https://git.kernel.org/stable/c/b03d1117e9be7c7da60e466eaf9beed85c5916c8
- https://git.kernel.org/stable/c/f7ee3b772d9de87387a725caa04bc041ac7fe5ec
