CVE-2022-0185
Published: 11 February 2022
Summary
CVE-2022-0185 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.4 (High).
Operationally, ranked in the top 16.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A heap-based buffer overflow exists in the legacy_parse_param function within the Filesystem Context subsystem of the Linux kernel. The flaw stems from insufficient validation of supplied parameter lengths when a filesystem lacking native Filesystem Context API support falls back to legacy handling, leading to improper bounds checking during parameter processing. The issue is tracked under CWE-190 and CWE-191 and carries a CVSS 3.1 score of 8.4.
An unprivileged local attacker who can mount or open an affected filesystem may trigger the overflow. When unprivileged user namespaces are enabled, no special privileges are required; otherwise the attacker needs namespaced CAP_SYS_ADMIN. Successful exploitation grants the ability to escalate privileges to root on the system.
Upstream fixes are referenced in the mainline kernel commit that corrects legacy_parse_param handling. Vendor advisories, including NetApp's, direct administrators to apply the relevant kernel updates or configuration changes that disable legacy fallback paths where feasible.
EPSS scores for the CVE rose from lower values after disclosure to a peak of 0.0783 on 2023-02-03 before receding to the current 0.0194, indicating a period of increased exploitation interest roughly a year post-publication. Public proof-of-concept code and technical analyses are available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15389
Vulnerability details
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN…
more
privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
- CWE(s)
- KEV Date Added
- 21 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of parameter lengths in legacy_parse_param, blocking the integer overflow that triggers the heap buffer overflow.
Applies memory-protection mechanisms (e.g., guard pages, bounds checking) that mitigate exploitation of the heap-based overflow in the kernel's filesystem context code.
Restricts use of CAP_SYS_ADMIN and unprivileged user namespaces, limiting the attacker's ability to reach the vulnerable legacy_parse_param path.