Cyber Resilience

CVE-2022-49236

High

Published: 26 February 2025

Published
26 February 2025
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49236 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2022-49236 is a use-after-free (UAF) vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically arising from a race condition between the btf_try_get_module function and the load_module process during kernel module initialization. The issue occurs when BTF (BPF Type Format) parsing for a module happens in a MODULE_STATE_COMING notifier callback, publishing the module's BTF ID to userspace and adding it to the btf_modules list before the module's initcalls complete. If a BPF program loads and successfully calls btf_try_get_module during this window—incrementing a module reference—and the module initialization then fails, the module is freed, leading to a UAF when the BPF program file descriptor is closed and module_put is invoked on the freed memory. The vulnerability is rated CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-416.

A local attacker with low privileges (PR:L) can exploit this during the narrow race window by loading a BPF program that references the module's BTF ID after it is published but before the module reaches MODULE_STATE_LIVE. If the module's do_init_module call fails post-BPF load—such as in the module's __init function—the kernel frees the module without accounting for the BPF-held reference. Closing the BPF program file descriptor then triggers module_put on freed memory, potentially allowing arbitrary code execution, data corruption, or denial of service due to the high confidentiality, integrity, and availability impacts.

The provided patch references from kernel stable repositories detail the mitigation: a new BTF_MODULE_F_LIVE flag is set in the notifier callback only upon reaching MODULE_STATE_LIVE for the module, causing btf_try_get_module to return NULL for incompletely initialized modules and preventing the reference from being acquired during the race. Combined with existing try_module_get checks against MODULE_STATE_GOING, this closes the window. Selftests verify the fix by artificially reproducing the race, ensuring BPF program loads fail with ENXIO. Users should apply the relevant stable kernel updates containing commits like 0481baa2318c, 18688de203b4, 51b82141fffa, and d7fccf264b1a.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix UAF due to race between btf_try_get_module and load_module While working on code to populate kfunc BTF ID sets for module BTF from its initcall, I noticed that by…

more

the time the initcall is invoked, the module BTF can already be seen by userspace (and the BPF verifier). The existing btf_try_get_module calls try_module_get which only fails if mod->state == MODULE_STATE_GOING, i.e. it can increment module reference when module initcall is happening in parallel. Currently, BTF parsing happens from MODULE_STATE_COMING notifier callback. At this point, the module initcalls have not been invoked. The notifier callback parses and prepares the module BTF, allocates an ID, which publishes it to userspace, and then adds it to the btf_modules list allowing the kernel to invoke btf_try_get_module for the BTF. However, at this point, the module has not been fully initialized (i.e. its initcalls have not finished). The code in module.c can still fail and free the module, without caring for other users. However, nothing stops btf_try_get_module from succeeding between the state transition from MODULE_STATE_COMING to MODULE_STATE_LIVE. This leads to a use-after-free issue when BPF program loads successfully in the state transition, load_module's do_init_module call fails and frees the module, and BPF program fd on close calls module_put for the freed module. Future patch has test case to verify we don't regress in this area in future. There are multiple points after prepare_coming_module (in load_module) where failure can occur and module loading can return error. We illustrate and test for the race using the last point where it can practically occur (in module __init function). An illustration of the race: CPU 0 CPU 1 load_module notifier_call(MODULE_STATE_COMING) btf_parse_module btf_alloc_id // Published to userspace list_add(&btf_mod->list, btf_modules) mod->init(...) ... ^ bpf_check | check_pseudo_btf_id | btf_try_get_module | returns true | ... ... | module __init in progress return prog_fd | ... ... V if (ret < 0) free_module(mod) ... close(prog_fd) ... bpf_prog_free_deferred module_put(used_btf.mod) // use-after-free We fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier callback when MODULE_STATE_LIVE state is reached for the module, so that we return NULL from btf_try_get_module for modules that are not fully formed. Since try_module_get already checks that module is not in MODULE_STATE_GOING state, and that is the only transition a live module can make before being removed from btf_modules list, this is enough to close the race and prevent the bug. A later selftest patch crafts the race condition artifically to verify that it has been fixed, and that verifier fails to load program (with ENXIO). Lastly, a couple of comments: 1. Even if this race didn't exist, it seems more appropriate to only access resources (ksyms and kfuncs) of a fully formed module which has been initialized completely. 2. This patch was born out of need for synchronization against module initcall for the next patch, so it is needed for correctness even without the aforementioned race condition. The BTF resources initialized by module initcall are set up once and then only looked up, so just waiting until the initcall has finished ensures correct behavior.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local UAF in kernel BPF module init directly enables privilege escalation via crafted BPF program load triggering arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.12 — 5.15.33 · 5.16 — 5.16.19 · 5.17 — 5.17.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely application of kernel patches that fix the race condition between btf_try_get_module and module initialization.

prevent

Implements memory protection mechanisms such as randomization and isolation to mitigate exploitation of the use-after-free in BPF module references.

prevent

Enforces kernel configuration settings to restrict unprivileged BPF program loading, preventing attackers from triggering the race during vulnerable module initialization.

References