CVE-2022-50356
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's Stochastic Fair Blue (SFB) queueing discipline can cause a kernel panic when network device initialization fails. This affects Linux systems using SFB as the default qdisc, potentially leading to denial of service. The vulnerability requires local access or ability to configure network settings.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, requiring physical or remote console access to reboot.
Likely Case
System instability or crash when network configuration changes are attempted with SFB qdisc enabled.
If Mitigated
Minor system disruption during network configuration if proper error handling prevents full crash.
🎯 Exploit Status
Requires CAP_NET_ADMIN privileges to modify qdisc settings. Exploitation involves triggering SFB initialization failure during network configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits 2a3fc78210b9f0e85372a2435368962009f480fc, 723399af2795fb95687a531c9480464b5f489333, c2e1e59d59fafe297779ceae1fe0e6fbebc3e745, or ded86c4191a3c17f8200d17a7d8a6f63b74554ae
Vendor Advisory: https://git.kernel.org/stable/c/2a3fc78210b9f0e85372a2435368962009f480fc
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable SFB qdisc
allChange default qdisc from SFB to another queueing discipline like pfifo_fast
tc qdisc replace dev [interface] root pfifo_fast
Restrict network configuration privileges
allLimit CAP_NET_ADMIN capabilities to trusted users only
setcap -r /sbin/tc
chmod 750 /sbin/tc
🧯 If You Can't Patch
- Avoid using SFB as default qdisc for any network interfaces
- Implement strict access controls to prevent unauthorized users from modifying network qdisc settings
🔍 How to Verify
Check if Vulnerable:
Check if SFB is configured as default qdisc: tc qdisc show | grep sfbCheck Version:
uname -rVerify Fix Applied:
Check kernel version contains fix commits: uname -r and verify with distribution security advisories📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- NULL pointer dereference errors mentioning sfb_reset or qdisc_reset
Network Indicators:
- Sudden network interface failures after configuration changes
SIEM Query:
kernel: *NULL pointer dereference* AND (*sfb* OR *qdisc*)