CVE-2022-49622
Published: 26 February 2025
Summary
CVE-2022-49622 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2022-49622 is a use-after-free vulnerability in the Linux kernel's netfilter nf_tables subsystem. It occurs when packet tracing is enabled and a socket buffer (skb) receives an NF_STOLEN verdict, which may free the skb. Subsequent operations attempt to access skb->nf_trace, skb->mark, compute a trace ID, and dump packet payload on the freed memory, classified under CWE-416 with a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering nf_tables tracing on packets that result in an NF_STOLEN verdict. Successful exploitation leads to high-impact confidentiality, integrity, and availability consequences through arbitrary memory access and potential code execution or denial of service.
The provided patch references detail mitigations applied in Linux kernel stable releases. These include caching a copy of skb->nf_trace in the trace state structure and refreshing it only when the verdict is not NF_STOLEN, skipping skb->mark access if the verdict is NF_STOLEN, precomputing the trace ID to avoid dependent accesses, and restricting packet payload dumps to cases where the verdict is not NF_STOLEN. The fixes are available in kernel commits at https://git.kernel.org/stable/c/0016d5d46d7440729a3132f61a8da3bf7f84e2ba and https://git.kernel.org/stable/c/e34b9ed96ce3b06c79bf884009b16961ca478f87.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54610
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid skb access on nf_stolen When verdict is NF_STOLEN, the skb might have been freed. When tracing is enabled, this can result in a use-after-free: 1. access to…
more
skb->nf_trace 2. access to skb->mark 3. computation of trace id 4. dump of packet payload To avoid 1, keep a cached copy of skb->nf_trace in the trace state struct. Refresh this copy whenever verdict is != STOLEN. Avoid 2 by skipping skb->mark access if verdict is STOLEN. 3 is avoided by precomputing the trace id. Only dump the packet when verdict is not "STOLEN".
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in nf_tables enables privilege escalation via arbitrary memory access and code execution from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring identification, prioritization, and timely patching of the use-after-free flaw in Linux kernel netfilter nf_tables.
Prohibits or restricts unnecessary nf_tables packet tracing to avoid triggering the NF_STOLEN verdict and subsequent freed skb accesses.
Kernel memory protection mechanisms mitigate unauthorized access to freed skb memory during tracing operations.