Cyber Resilience

CVE-2022-2588

MediumPublic PoC

Published: 08 January 2024

Published
08 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.5431 98.1th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2588 is a medium-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a use-after-free and double-free flaw (CWE-416, CWE-415) in the cls_route filter implementation of the Linux kernel networking subsystem. When a route filter handle has the value zero, the code fails to remove the old filter entry from the hashtable before freeing the associated structure, leaving a dangling reference that can later be dereferenced or freed again.

A local attacker with low privileges can trigger the bug by installing and manipulating route classifiers through the appropriate netlink interfaces. Successful exploitation can result in memory corruption that leads to a kernel crash or limited integrity impact, though the CVSS vector notes high attack complexity and no confidentiality loss.

Ubuntu security notices USN-5557-1 and USN-5560-1, along with the upstream patch posted to the netdev mailing list, recommend upgrading to fixed kernel versions that correctly remove the filter entry before freeing it. The referenced GitHub repository contains a proof-of-concept that demonstrates the issue on affected kernels.

EPSS scores have reached a peak of 0.5989 with a current value of 0.5431, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linux
linux kernel
≤ 4.9.326 · 4.10 — 4.14.291 · 4.15 — 4.19.256
canonical
ubuntu linux
14.04, 16.04, 18.04, 20.04, 22.04

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References