Cyber Resilience

CVE-2022-49127

High

Published: 26 February 2025

Published
26 February 2025
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49127 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49127 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ref_tracker component. It arises from buggy dev_put() and dev_hold() operations occurring too late during the netdevice dismantle process. The affected software is the Linux kernel.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), in an unchanged security scope (S:U). Successful exploitation can result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 7.8.

Mitigation is provided through kernel patches that implement use-after-free detection in ref_tracker. These patches mark the struct ref_tracker_dir as dead upon ref_tracker_dir_init() and test the dead status in ref_tracker_alloc() and ref_tracker_free(). The fixes are available at https://git.kernel.org/stable/c/3743c9de303fa36c2e2ca2522ab280c52bcafbd2 and https://git.kernel.org/stable/c/e3ececfe668facd87d920b608349a32607060e66.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ref_tracker: implement use-after-free detection Whenever ref_tracker_dir_init() is called, mark the struct ref_tracker_dir as dead. Test the dead status from ref_tracker_alloc() and ref_tracker_free() This should detect buggy dev_put()/dev_hold() happening too late…

more

in netdevice dismantle process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local low-priv UAF in kernel netdevice/ref_tracker directly enables privilege escalation to achieve full system compromise (C/I/A:H).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.17 — 5.17.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the use-after-free flaw in the Linux kernel's ref_tracker component through application of specific patches that fix buggy dev_put() and dev_hold() operations.

prevent

Implements memory protection safeguards such as randomization and execution prevention that directly mitigate exploitation of use-after-free vulnerabilities in kernel netdevice reference tracking.

detect

Enables vulnerability scanning to identify systems affected by CVE-2022-49127 in the Linux kernel ref_tracker, allowing prioritization of patching.

References