Cyber Resilience

CVE-2022-49401

High

Published: 26 February 2025

Published
26 February 2025
Modified
22 September 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0016 36.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49401 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2022-49401 is a vulnerability in the Linux kernel's memory management subsystem, specifically in the mm/page_owner.c component. The issue arises from the use of strlcpy() to copy the current process's comm[] field (current->comm[]), which is not guaranteed to be null-terminated. This leads strlcpy() to invoke strlen() on the source buffer, potentially causing an out-of-bounds read and buffer overflow, as detected by syzbot. The flaw triggers a kernel BUG in __fortify_strlen during page allocation operations, such as in __set_page_owner_handle(), and is classified under CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability by triggering memory allocation paths, such as slab allocations via alloc_pages() and related functions like get_page_from_freelist() or dst_alloc(). This results in a kernel panic due to the fortify_panic() invocation, enabling a denial-of-service (A:H). The high confidentiality impact (C:H) stems from potential information disclosure during the out-of-bounds access before the crash.

Kernel stable patches address the issue by replacing strlcpy() with strscpy(), which safely copies without relying on strlen() for non-null-terminated sources. Relevant commits include 5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf and cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a, available via git.kernel.org/stable.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: mm/page_owner: use strscpy() instead of strlcpy() current->comm[] is not a string (no guarantee for a zero byte in it). strlcpy(s1, s2, l) is calling strlen(s2), potentially causing out-of-bound access, as…

more

reported by syzbot: detected buffer overflow in __fortify_strlen ------------[ cut here ]------------ kernel BUG at lib/string_helpers.c:980! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980 Code: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a RSP: 0018:ffffc900000074a8 EFLAGS: 00010286 RAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000 RDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87 RBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000 R10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700 R13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: <IRQ> __fortify_strlen include/linux/fortify-string.h:128 [inline] strlcpy include/linux/fortify-string.h:143 [inline] __set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171 __set_page_owner+0x3e/0x50 mm/page_owner.c:190 prep_new_page mm/page_alloc.c:2441 [inline] get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x26c/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0x8df/0xf20 mm/slub.c:3005 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092 slab_alloc_node mm/slub.c:3183 [inline] slab_alloc mm/slub.c:3225 [inline] __kmem_cache_alloc_lru mm/slub.c:3232 [inline] kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242 dst_alloc+0x146/0x1f0 net/core/dst.c:92

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel OOB read triggers fortify_panic during page allocation, directly enabling system exploitation for DoS (kernel panic) with secondary info disclosure.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21717Same product: Linux Linux Kernel
CVE-2022-49706Same product: Linux Linux Kernel
CVE-2026-43006Same product: Linux Linux Kernel
CVE-2025-21794Same product: Linux Linux Kernel
CVE-2022-49674Same product: Linux Linux Kernel
CVE-2026-23388Same product: Linux Linux Kernel
CVE-2022-49163Same product: Linux Linux Kernel
CVE-2026-23102Same product: Linux Linux Kernel
CVE-2022-49444Same product: Linux Linux Kernel
CVE-2025-21719Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.18 — 5.18.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the kernel flaw by patching the unsafe strlcpy() usage in mm/page_owner.c with strscpy().

detect

Enables identification of systems running vulnerable kernel versions affected by CVE-2022-49401 through vulnerability scanning.

preventdetect

Provides memory protections that mitigate or detect out-of-bounds reads triggered by strlen() on non-null-terminated current->comm[] during page allocation.

References