Cyber Resilience

CVE-2022-0847

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 March 2022

Published
10 March 2022
Modified
06 November 2025
KEV Added
25 April 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8906 99.8th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2022-0847 is a high-severity Improper Initialization (CWE-665) vulnerability in Redhat Enterprise Linux Eus. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2022-0847 is a flaw in the Linux kernel arising from improper initialization of the "flags" member in the new pipe buffer structure within the copy_page_to_iter_pipe and push_pipe functions. The uninitialized field can retain stale values, enabling writes to pages in the page cache that are backed by read-only files. The affected component is the Linux kernel; the issue carries a CVSS 3.1 score of 7.8 and is associated with CWE-665.

An unprivileged local user can exploit the flaw to modify read-only file contents cached in memory and thereby escalate privileges on the system. Exploitation requires local access and does not depend on user interaction or special network conditions.

Public exploit code targeting the vulnerability has been posted to Packet Storm, and a Red Hat Bugzilla entry provides additional technical details. The EPSS score currently stands at 0.8108 with a recorded peak of 0.8461, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could…

more

use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

CWE(s)
KEV Date Added
25 April 2022

Related Threats

CVEs Like This One

CVE-2023-4911Same product: Fedoraproject Fedoraboth on KEV
CVE-2024-54085Same product: Netapp H300Sboth on KEV
CVE-2021-44228Same product: Fedoraproject Fedoraboth on KEV
CVE-2021-3156Same product: Fedoraproject Fedoraboth on KEV
CVE-2025-0411Same product class: NAS / storage applianceboth on KEV
CVE-2025-24813Same product class: NAS / storage applianceboth on KEV
CVE-2020-1472Same product: Fedoraproject Fedoraboth on KEV
CVE-2024-56171Same product: Netapp H300S
CVE-2025-24928Same product: Netapp H300S
CVE-2024-6387Same product: Redhat Enterprise Linux

Affected Assets

linux
linux kernel
5.8 — 5.10.102 · 5.15 — 5.15.25 · 5.16 — 5.16.11
fedoraproject
fedora
35
redhat
enterprise linux
8.0
redhat
enterprise linux eus
8.2, 8.4
redhat
enterprise linux for ibm z systems
8.0
redhat
enterprise linux for ibm z systems eus
8.2, 8.4
redhat
enterprise linux for power little endian
8.0
redhat
enterprise linux for power little endian eus
8.2, 8.4
redhat
enterprise linux for real time
8
redhat
enterprise linux for real time for nfv
8
+19 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of patches that eliminate the improper pipe-buffer initialization flaw allowing local privilege escalation.

prevent

Enforces least-privilege restrictions on unprivileged local users so that even successful exploitation cannot obtain root or SUID capabilities.

prevent

Requires process isolation boundaries that limit the ability of a flawed pipe implementation to corrupt page-cache contents belonging to other subjects.

References