CVE-2022-2588
Published: 08 January 2024
Summary
CVE-2022-2588 is a medium-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a use-after-free and double-free flaw (CWE-416, CWE-415) in the cls_route filter implementation of the Linux kernel networking subsystem. When a route filter handle has the value zero, the code fails to remove the old filter entry from the hashtable before freeing the associated structure, leaving a dangling reference that can later be dereferenced or freed again.
A local attacker with low privileges can trigger the bug by installing and manipulating route classifiers through the appropriate netlink interfaces. Successful exploitation can result in memory corruption that leads to a kernel crash or limited integrity impact, though the CVSS vector notes high attack complexity and no confidentiality loss.
Ubuntu security notices USN-5557-1 and USN-5560-1, along with the upstream patch posted to the netdev mailing list, recommend upgrading to fixed kernel versions that correctly remove the filter entry before freeing it. The referenced GitHub repository contains a proof-of-concept that demonstrates the issue on affected kernels.
EPSS scores have reached a peak of 0.5989 with a current value of 0.5431, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34837
Vulnerability details
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.