CVE-2022-50078
📋 TL;DR
A vulnerability in the Linux kernel's tracing subsystem allows event probes (eprobes) to incorrectly access register variables like $stack or %reg when they shouldn't, leading to a NULL pointer dereference. This can cause kernel panics and system crashes. Affects Linux systems with kernel tracing enabled and eprobes configured.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
System crash or kernel panic when malicious or misconfigured eprobes attempt to access restricted register variables.
If Mitigated
No impact if kernel tracing is disabled or eprobes are not used.
🎯 Exploit Status
Exploitation requires local access and ability to configure eprobes with specific parameters. The vulnerability was discovered during testing, not in active attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 2673c60ee67e71f2ebe34386e62d348f71edee47, 7c262114a576d94c0ced80e232bbb17391a55908, ba53c21ce9773743b8e0a8ada048c96ff2d55c67
Vendor Advisory: https://git.kernel.org/stable/c/2673c60ee67e71f2ebe34386e62d348f71edee47
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for specific patched versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable kernel tracing
linuxDisable the kernel tracing subsystem to prevent eprobe usage
echo 0 > /sys/kernel/debug/tracing/tracing_on
echo 0 > /sys/kernel/debug/tracing/events/enable
Restrict eprobe access
linuxLimit access to eprobe configuration to trusted users only
chmod 600 /sys/kernel/debug/tracing/eprobes
set appropriate SELinux/AppArmor policies
🧯 If You Can't Patch
- Disable kernel tracing subsystem completely
- Implement strict access controls to prevent unauthorized users from configuring eprobes
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if tracing is enabled: uname -r && cat /sys/kernel/debug/tracing/tracing_onCheck Version:
uname -rVerify Fix Applied:
Verify kernel version contains the fix commits or check with distribution-specific security updates📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning NULL pointer dereference in get_event_field.isra.0
- System crash logs with trace-cmd or eprobe-related errors
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "get_event_field" OR "eprobe")