CVE-2022-49127
Published: 26 February 2025
Summary
CVE-2022-49127 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49127 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ref_tracker component. It arises from buggy dev_put() and dev_hold() operations occurring too late during the netdevice dismantle process. The affected software is the Linux kernel.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), in an unchanged security scope (S:U). Successful exploitation can result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 7.8.
Mitigation is provided through kernel patches that implement use-after-free detection in ref_tracker. These patches mark the struct ref_tracker_dir as dead upon ref_tracker_dir_init() and test the dead status in ref_tracker_alloc() and ref_tracker_free(). The fixes are available at https://git.kernel.org/stable/c/3743c9de303fa36c2e2ca2522ab280c52bcafbd2 and https://git.kernel.org/stable/c/e3ececfe668facd87d920b608349a32607060e66.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54485
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ref_tracker: implement use-after-free detection Whenever ref_tracker_dir_init() is called, mark the struct ref_tracker_dir as dead. Test the dead status from ref_tracker_alloc() and ref_tracker_free() This should detect buggy dev_put()/dev_hold() happening too late…
more
in netdevice dismantle process.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-priv UAF in kernel netdevice/ref_tracker directly enables privilege escalation to achieve full system compromise (C/I/A:H).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the use-after-free flaw in the Linux kernel's ref_tracker component through application of specific patches that fix buggy dev_put() and dev_hold() operations.
Implements memory protection safeguards such as randomization and execution prevention that directly mitigate exploitation of use-after-free vulnerabilities in kernel netdevice reference tracking.
Enables vulnerability scanning to identify systems affected by CVE-2022-49127 in the Linux kernel ref_tracker, allowing prioritization of patching.