CVE-2022-50213
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables subsystem allows local attackers to potentially escalate privileges or crash the system. The vulnerability occurs when removing tables while sets from different tables are referenced by ID, leading to memory corruption. This affects all Linux systems using nf_tables with the vulnerable kernel versions.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, kernel panic causing system crash, or arbitrary code execution in kernel context.
Likely Case
Local privilege escalation allowing attackers to gain root access on vulnerable systems.
If Mitigated
Limited to denial of service if exploit fails or system has additional security controls like SELinux/AppArmor.
🎯 Exploit Status
Exploit requires local access and knowledge of nf_tables internals. Multiple proof-of-concepts exist in security research circles.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel versions with commits referenced in CVE
Vendor Advisory: https://git.kernel.org/stable/c/470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. For RHEL/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable nf_tables
linuxDisable the vulnerable nf_tables subsystem if not required
modprobe -r nf_tables
echo 'blacklist nf_tables' >> /etc/modprobe.d/blacklist.conf
Use iptables-legacy
linuxSwitch to iptables-legacy instead of nftables
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
🧯 If You Can't Patch
- Restrict local user access through strict access controls and privilege separation
- Implement kernel hardening features like SELinux/AppArmor to limit impact
🔍 How to Verify
Check if Vulnerable:
Check kernel version: uname -r and compare with affected versions from distribution advisoriesCheck Version:
uname -rVerify Fix Applied:
Verify kernel version after update: uname -r and ensure it matches patched version from vendor📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages in /var/log/kern.log or dmesg
- System crashes or unexpected reboots
- Privilege escalation attempts in audit logs
Network Indicators:
- Unusual nf_tables rule modifications by non-root users
SIEM Query:
source="kernel" AND ("nf_tables" OR "use-after-free" OR "general protection fault")🔗 References
- https://git.kernel.org/stable/c/0d07039397527361850c554c192e749cfc879ea9
- https://git.kernel.org/stable/c/1a4b18b1ff11ba26f9a852019d674fde9d1d1cff
- https://git.kernel.org/stable/c/470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2
- https://git.kernel.org/stable/c/77d3b5038b7462318f5183e2ad704b01d57215a2
- https://git.kernel.org/stable/c/f4fa03410f7c5f5bd8f90e9c11e9a8c4b526ff6f
- https://git.kernel.org/stable/c/faafd9286f1355c76fe9ac3021c280297213330e
- https://git.kernel.org/stable/c/fab2f61cc3b0e441b1749f017cfee75f9bbaded7
