Cyber Resilience

CVE-2022-49622

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 3.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49622 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2022-49622 is a use-after-free vulnerability in the Linux kernel's netfilter nf_tables subsystem. It occurs when packet tracing is enabled and a socket buffer (skb) receives an NF_STOLEN verdict, which may free the skb. Subsequent operations attempt to access skb->nf_trace, skb->mark, compute a trace ID, and dump packet payload on the freed memory, classified under CWE-416 with a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering nf_tables tracing on packets that result in an NF_STOLEN verdict. Successful exploitation leads to high-impact confidentiality, integrity, and availability consequences through arbitrary memory access and potential code execution or denial of service.

The provided patch references detail mitigations applied in Linux kernel stable releases. These include caching a copy of skb->nf_trace in the trace state structure and refreshing it only when the verdict is not NF_STOLEN, skipping skb->mark access if the verdict is NF_STOLEN, precomputing the trace ID to avoid dependent accesses, and restricting packet payload dumps to cases where the verdict is not NF_STOLEN. The fixes are available in kernel commits at https://git.kernel.org/stable/c/0016d5d46d7440729a3132f61a8da3bf7f84e2ba and https://git.kernel.org/stable/c/e34b9ed96ce3b06c79bf884009b16961ca478f87.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid skb access on nf_stolen When verdict is NF_STOLEN, the skb might have been freed. When tracing is enabled, this can result in a use-after-free: 1. access to…

more

skb->nf_trace 2. access to skb->mark 3. computation of trace id 4. dump of packet payload To avoid 1, keep a cached copy of skb->nf_trace in the trace state struct. Refresh this copy whenever verdict is != STOLEN. Avoid 2 by skipping skb->mark access if verdict is STOLEN. 3 is avoided by precomputing the trace id. Only dump the packet when verdict is not "STOLEN".

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in nf_tables enables privilege escalation via arbitrary memory access and code execution from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · ≤ 5.18.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring identification, prioritization, and timely patching of the use-after-free flaw in Linux kernel netfilter nf_tables.

prevent

Prohibits or restricts unnecessary nf_tables packet tracing to avoid triggering the NF_STOLEN verdict and subsequent freed skb accesses.

prevent

Kernel memory protection mechanisms mitigate unauthorized access to freed skb memory during tracing operations.

References