Cyber Resilience

CVE-2022-0185

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 11 February 2022

Published
11 February 2022
Modified
06 November 2025
KEV Added
21 August 2024
Patch
18 January 2022
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0194 83.8th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0185 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 16.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

A heap-based buffer overflow exists in the legacy_parse_param function within the Filesystem Context subsystem of the Linux kernel. The flaw stems from insufficient validation of supplied parameter lengths when a filesystem lacking native Filesystem Context API support falls back to legacy handling, leading to improper bounds checking during parameter processing. The issue is tracked under CWE-190 and CWE-191 and carries a CVSS 3.1 score of 8.4.

An unprivileged local attacker who can mount or open an affected filesystem may trigger the overflow. When unprivileged user namespaces are enabled, no special privileges are required; otherwise the attacker needs namespaced CAP_SYS_ADMIN. Successful exploitation grants the ability to escalate privileges to root on the system.

Upstream fixes are referenced in the mainline kernel commit that corrects legacy_parse_param handling. Vendor advisories, including NetApp's, direct administrators to apply the relevant kernel updates or configuration changes that disable legacy fallback paths where feasible.

EPSS scores for the CVE rose from lower values after disclosure to a peak of 0.0783 on 2023-02-03 before receding to the current 0.0194, indicating a period of increased exploitation interest roughly a year post-publication. Public proof-of-concept code and technical analyses are available.

EU & UK References

Vulnerability details

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN…

more

privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

CWE(s)
KEV Date Added
21 August 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linux
linux kernel
5.1 — 5.4.173 · 5.5 — 5.10.93 · 5.11 — 5.15.16
netapp
h410c firmware
all versions
netapp
h300s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
netapp
h300e firmware
all versions
netapp
h500e firmware
all versions
netapp
h700e firmware
all versions
netapp
h410s firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of parameter lengths in legacy_parse_param, blocking the integer overflow that triggers the heap buffer overflow.

prevent

Applies memory-protection mechanisms (e.g., guard pages, bounds checking) that mitigate exploitation of the heap-based overflow in the kernel's filesystem context code.

prevent

Restricts use of CAP_SYS_ADMIN and unprivileged user namespaces, limiting the attacker's ability to reach the vulnerable legacy_parse_param path.

References