CVE-2022-49395
Published: 26 February 2025
Summary
CVE-2022-49395 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2022-49395 is a stack-based out-of-bounds read vulnerability in the Linux kernel's User Mode Linux (UML) component during Local Descriptor Table (LDT) setup. The issue arises because the syscall_stub_data() function expects its data_count parameter to represent the number of longs rather than bytes, leading to an invalid memory access. This was detected by KASAN as a read of 128 bytes at an invalid stack address during init_new_ldt(), specifically in the stack frame of the swapper/1 task, affecting offsets related to 'desc' objects.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring local access (AV:L) in an unscoped impact scenario (S:U). Successful exploitation enables high confidentiality impact through unauthorized memory reads (C:H) and high availability impact potentially via denial of service (A:H), such as kernel crashes, with no integrity impact (I:N). The CVSS v3.1 base score is 7.1, mapped to CWE-125 (Out-of-bounds Read).
Mitigation involves applying upstream kernel patches from the provided stable branch commits, including changes such as 10995a382271 (um: Fix out-of-bounds read in LDT setup) and related fixes like 24ca648bf5f7, 2a4a62a14be1, 3549ab4b962c, and 668ca34a428d, which correct the data_count handling in syscall_stub_data() during LDT initialization. Security practitioners should update affected Linux kernels, particularly those using UML, to versions incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54834
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: um: Fix out-of-bounds read in LDT setup syscall_stub_data() expects the data_count parameter to be the number of longs, not bytes. ================================================================== BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0 Read of size 128…
more
at addr 000000006411f6f0 by task swapper/1 CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18 Call Trace: show_stack.cold+0x166/0x2a7 __dump_stack+0x3a/0x43 dump_stack_lvl+0x1f/0x27 print_report.cold+0xdb/0xf81 kasan_report+0x119/0x1f0 kasan_check_range+0x3a3/0x440 memcpy+0x52/0x140 syscall_stub_data+0x70/0xe0 write_ldt_entry+0xac/0x190 init_new_ldt+0x515/0x960 init_new_context+0x2c4/0x4d0 mm_init.constprop.0+0x5ed/0x760 mm_alloc+0x118/0x170 0x60033f48 do_one_initcall+0x1d7/0x860 0x60003e7b kernel_init+0x6e/0x3d4 new_thread_handler+0x1e7/0x2c0 The buggy address belongs to stack of task swapper/1 and is located at offset 64 in frame: init_new_ldt+0x0/0x960 This frame has 2 objects: [32, 40) 'addr' [64, 80) 'desc' ==================================================================
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel OOB read enables unauthorized memory disclosure for credential access (T1212) and DoS via crashes (T1499).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the stack-based out-of-bounds read vulnerability by requiring timely application of Linux kernel patches fixing syscall_stub_data() data_count handling.
Implements memory protection mechanisms to restrict unauthorized out-of-bounds reads from kernel stack during LDT setup in UML.
Monitors and scans for vulnerabilities such as CVE-2022-49395 in Linux kernel UML components to identify and prioritize remediation.