CVE-2022-49044
Published: 26 February 2025
Summary
CVE-2022-49044 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2022-49044 is a memory corruption vulnerability in the Linux kernel's dm-integrity target. It occurs when the tag_size parameter is configured to be smaller than the digest size, causing dm-integrity to ignore part of the digest beyond tag_size. This misconfiguration leads to an out-of-bounds write in the ic->recalc_tags array during the integrity_recalc->integrity_sector_checksum->crypto_shash_final path, as the loop in integrity_recalc writes a full digest size for the last array member without sufficient padding.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation results in high impacts on confidentiality, integrity, and availability, as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). This could enable memory corruption, potentially leading to arbitrary code execution, data tampering, or system denial of service within the kernel context.
Mitigation involves applying the relevant stable kernel patches, available in the following upstream commits: 08c1af8f1c13bbf210f1760132f4df24d0ed46d6, 4d485cf9b609709e45d5113e6e2b1b01254b2fe9, 6a95d91c0b315c965198f6ab7dec7c94129e17e0, 6b4bf97587ef6c1927a78934b700204920655123, and 7f84c937222944c03f4615ca4742df6bed0e5adf. These fixes increase the tags array size to include padding, preventing the out-of-bounds write. Security practitioners should ensure systems using dm-integrity update to kernels incorporating these changes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55159
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: dm integrity: fix memory corruption when tag_size is less than digest size It is possible to set up dm-integrity in such a way that the "tag_size" parameter is less than…
more
the actual digest size. In this situation, a part of the digest beyond tag_size is ignored. In this case, dm-integrity would write beyond the end of the ic->recalc_tags array and corrupt memory. The corruption happened in integrity_recalc->integrity_sector_checksum->crypto_shash_final. Fix this corruption by increasing the tags array so that it has enough padding at the end to accomodate the loop in integrity_recalc() being able to write a full digest size for the last member of the tags array.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory corruption (OOB write) in dm-integrity directly enables privilege escalation via arbitrary code execution from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through application of stable kernel patches directly eliminates the out-of-bounds write in dm-integrity's recalc_tags array.
Implementation of memory protection mechanisms such as kernel address space layout randomization and supervisor mode execution prevention mitigates exploitation of the memory corruption vulnerability.
Establishment of secure configuration settings for dm-integrity ensures tag_size is not set smaller than the digest size, preventing the condition that triggers the out-of-bounds write.