Cyber Resilience

CVE-2022-49395

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0001 0.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49395 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49395 is a stack-based out-of-bounds read vulnerability in the Linux kernel's User Mode Linux (UML) component during Local Descriptor Table (LDT) setup. The issue arises because the syscall_stub_data() function expects its data_count parameter to represent the number of longs rather than bytes, leading to an invalid memory access. This was detected by KASAN as a read of 128 bytes at an invalid stack address during init_new_ldt(), specifically in the stack frame of the swapper/1 task, affecting offsets related to 'desc' objects.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring local access (AV:L) in an unscoped impact scenario (S:U). Successful exploitation enables high confidentiality impact through unauthorized memory reads (C:H) and high availability impact potentially via denial of service (A:H), such as kernel crashes, with no integrity impact (I:N). The CVSS v3.1 base score is 7.1, mapped to CWE-125 (Out-of-bounds Read).

Mitigation involves applying upstream kernel patches from the provided stable branch commits, including changes such as 10995a382271 (um: Fix out-of-bounds read in LDT setup) and related fixes like 24ca648bf5f7, 2a4a62a14be1, 3549ab4b962c, and 668ca34a428d, which correct the data_count handling in syscall_stub_data() during LDT initialization. Security practitioners should update affected Linux kernels, particularly those using UML, to versions incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: um: Fix out-of-bounds read in LDT setup syscall_stub_data() expects the data_count parameter to be the number of longs, not bytes. ================================================================== BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0 Read of size 128…

more

at addr 000000006411f6f0 by task swapper/1 CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18 Call Trace: show_stack.cold+0x166/0x2a7 __dump_stack+0x3a/0x43 dump_stack_lvl+0x1f/0x27 print_report.cold+0xdb/0xf81 kasan_report+0x119/0x1f0 kasan_check_range+0x3a3/0x440 memcpy+0x52/0x140 syscall_stub_data+0x70/0xe0 write_ldt_entry+0xac/0x190 init_new_ldt+0x515/0x960 init_new_context+0x2c4/0x4d0 mm_init.constprop.0+0x5ed/0x760 mm_alloc+0x118/0x170 0x60033f48 do_one_initcall+0x1d7/0x860 0x60003e7b kernel_init+0x6e/0x3d4 new_thread_handler+0x1e7/0x2c0 The buggy address belongs to stack of task swapper/1 and is located at offset 64 in frame: init_new_ldt+0x0/0x960 This frame has 2 objects: [32, 40) 'addr' [64, 80) 'desc' ==================================================================

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Kernel OOB read enables unauthorized memory disclosure for credential access (T1212) and DoS via crashes (T1499).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-49094Same product: Linux Linux Kernel
CVE-2026-31464Same product: Linux Linux Kernel
CVE-2022-49251Same product: Linux Linux Kernel
CVE-2025-71116Same product: Linux Linux Kernel
CVE-2022-49368Same product: Linux Linux Kernel
CVE-2025-21743Same product: Linux Linux Kernel
CVE-2022-49738Same product: Linux Linux Kernel
CVE-2026-31774Same product: Linux Linux Kernel
CVE-2026-23325Same product: Linux Linux Kernel
CVE-2025-21815Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.15 — 4.9.318 · 4.10 — 4.14.283 · 4.15 — 4.19.247

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the stack-based out-of-bounds read vulnerability by requiring timely application of Linux kernel patches fixing syscall_stub_data() data_count handling.

prevent

Implements memory protection mechanisms to restrict unauthorized out-of-bounds reads from kernel stack during LDT setup in UML.

detect

Monitors and scans for vulnerabilities such as CVE-2022-49395 in Linux kernel UML components to identify and prioritize remediation.

References