Login Sign Up

CVE-2022-50396

5.5 MEDIUM
Denial of Service

📋 TL;DR

A memory leak vulnerability exists in the Linux kernel's traffic control subsystem when modifying tcindex filters. This allows attackers to cause kernel memory exhaustion through repeated filter modifications, potentially leading to denial of service. Systems running affected Linux kernel versions with traffic control enabled are vulnerable.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Versions before fixes in stable branches (specific commits listed in references)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when traffic control (tc) subsystem is used and tcindex filters are modified. Requires CAP_NET_ADMIN capability to exploit.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory exhaustion leading to system crash or denial of service, requiring reboot to recover

🟠

Likely Case

Gradual memory consumption affecting system performance over time, potentially causing instability

🟢

If Mitigated

Minimal impact with proper monitoring and memory limits in place

🌐 Internet-Facing: LOW - Requires local access or ability to modify network traffic control rules
🏢 Internal Only: MEDIUM - Local users or processes with CAP_NET_ADMIN can trigger the vulnerability

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access with CAP_NET_ADMIN privileges. Exploitation involves repeatedly modifying tcindex filters to trigger memory leak.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 01d0d2b8b4e3cf2110baba9371c0c3d04ad5c77b, 18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6, 372ae77cf11d11fb118cbe2d37def9dd5f826abd, 399ab7fe0fa0d846881685fd4e57e9a8ef7559f7, 3abebc503a5148072052c229c6b04b329a420ecd

Vendor Advisory: https://git.kernel.org/stable/c/

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Check distribution-specific security advisories. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Restrict CAP_NET_ADMIN

all

Limit users and processes with CAP_NET_ADMIN capability to reduce attack surface

setcap -r CAP_NET_ADMIN /path/to/binary
capsh --drop=cap_net_admin -- -c "command"

Disable tcindex filter modifications

all

Prevent modification of tcindex filters through policy or access controls

iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
tc filter del dev eth0 parent 1:0 prio 1

🧯 If You Can't Patch

  • Implement strict monitoring of kernel memory usage and system logs
  • Restrict network administration capabilities to essential users only

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if traffic control is enabled: uname -r && tc qdisc show

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version contains fix commit: grep -q 'commit_hash' /proc/version || echo 'Check kernel source'

📡 Detection & Monitoring

Log Indicators:

  • Kernel OOM messages
  • Memory leak warnings in dmesg
  • Increased slab memory usage

Network Indicators:

  • Unusual tc filter modification patterns
  • Multiple tcindex change operations

SIEM Query:

source="kernel" AND ("memory leak" OR "tcindex" OR "kmalloc" OR "slab")

📊 Metadata

CVE ID: CVE-2022-50396
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-401
EPSS Score: 0.01% exploit probability (1th percentile)
Published: September 18, 2025
Last Updated: January 14, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50396, you might also want to check these:

CVE-2021-40633 8.8

CVE-2021-40633 is a memory leak vulnerability in gif2rgb, a utility in giflib 5.1.4, allowing remote...

Same vulnerability type (CWE-401)
CVE-2021-3492 8.8

CVE-2021-3492 is a kernel vulnerability in Ubuntu's Shiftfs filesystem where improper error handling...

Same vulnerability type (CWE-401)
CVE-2024-25450 8.8

CVE-2024-25450 is a memory allocation vulnerability in imlib2 v1.9.1's init_imlib_fonts() function t...

Same vulnerability type (CWE-401)