CVE-2022-50219 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2022-50219?

CVE-2022-50219 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's BPF subsystem allows attackers to trigger memory corruption when BPF links are detached under specific memory allocation failure conditions. This affects Linux systems using cgroup BPF functionality, potentially leading to kernel crashes or privilege escalation. The vulnerability requires local access to exploit.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's BPF subsystem allows attackers to trigger memory corruption when BPF links are detached under specific memory allocation failure conditions. This affects Linux systems using cgroup BPF functionality, potentially leading to kernel crashes or privilege escalation. The vulnerability requires local access to exploit.

💻 Affected Systems

Products:

Linux Kernel

Versions: Specific affected versions not explicitly stated in CVE, but references indicate fixes in stable kernel trees. Likely affects multiple kernel versions before fixes were backported.

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires BPF subsystem and cgroup functionality to be enabled/used. Most modern Linux distributions have these enabled by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential privilege escalation to root if an attacker can control the freed memory region.

🟠

Likely Case

Kernel crash causing system instability or denial of service, requiring reboot to restore functionality.

🟢

If Mitigated

Minimal impact if systems are patched or don't use cgroup BPF functionality extensively.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local attackers or malicious users could exploit this to crash systems or potentially escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to create/detach BPF links while triggering memory allocation failures. Syzbot found this through fuzzing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple stable kernel versions with fixes: 1f8ca9c40e6222ce431e9ba5dae3cccce8ef9443, 3527e3cbb84d8868c4d4e91ba55915f96d39ec3d, 4c46091ee985ae84c60c5e95055d779fcd291d87, 6336388715afa419cc97d0255bda3bba1b96b7ca, be001f9da71eaa3b61e186fb88bde3279728bdca

Vendor Advisory: https://git.kernel.org/stable/c/1f8ca9c40e6222ce431e9ba5dae3cccce8ef9443

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable BPF subsystem

linux

Disable BPF functionality to prevent exploitation, but this will break applications relying on BPF.

echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
Remove BPF-related kernel modules if possible

Restrict cgroup BPF usage

linux

Limit which users can create BPF programs and links using cgroups.

Use cgroup permissions to restrict BPF operations to trusted users only

🧯 If You Can't Patch

Restrict local user access to systems - only allow trusted users with legitimate needs
Monitor for kernel crashes or unusual BPF/cgroup activity in system logs

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with patched versions from kernel git repository. Systems with unpatched kernels using BPF cgroup functionality are vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version matches patched version after update and reboot. Check that BPF functionality still works correctly.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
KASAN error reports mentioning compute_effective_progs or BPF link operations
System crashes or unexpected reboots

Network Indicators:

None - local exploitation only

SIEM Query:

Search for kernel panic events, KASAN reports, or system crash logs with BPF/cgroup context

📊 Metadata

CVE ID: CVE-2022-50219

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.02% exploit probability (3.6th percentile)

Published: June 18, 2025

Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50219, you might also want to check these: