CVE-2022-49626
Published: 26 February 2025
Summary
CVE-2022-49626 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2022-49626 is a use-after-free vulnerability in the Linux kernel's sfc driver, specifically during the disabling of Single Root I/O Virtualization (SR-IOV). The issue occurs when freeing virtual function (VF) resources: the vf->pci_dev pointer is freed by pci_disable_sriov but later read in efx_ef10_sriov_free_vf_vswitching, as detected by the kfence slab debugger. It affects systems using Solarflare (sfc) Ethernet controllers configured for SR-IOV, with the reproducer involving enabling SR-IOV via echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs followed by disabling it via echo 0.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction, as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation is triggered through sysfs writes to control SR-IOV on an affected network interface, potentially leading to high-impact confidentiality, integrity, and availability violations, such as kernel memory corruption, arbitrary code execution, or system crashes via the dangling pointer dereference.
Kernel stable patch commits referenced in advisories, such as those at https://git.kernel.org/stable/c/3199e34912d84cdfb8a93a984c5ae5c73fb13e84 and others, mitigate the issue by setting the vf->pci_dev pointer to NULL at release time, preventing the subsequent invalid read during VF vport and vswitching cleanup. Affected users should apply these upstream patches to vulnerable kernel versions supporting the sfc driver.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54606
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: sfc: fix use after free when disabling sriov Use after free is detected by kfence when disabling sriov. What was read after being freed was vf->pci_dev: it was freed from…
more
pci_disable_sriov and later read in efx_ef10_sriov_free_vf_vports, called from efx_ef10_sriov_free_vf_vswitching. Set the pointer to NULL at release time to not trying to read it later. Reproducer and dmesg log (note that kfence doesn't detect it every time): $ echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs $ echo 0 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224): efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] efx_ef10_pci_sriov_disable+0x38/0x70 [sfc] efx_pci_sriov_configure+0x24/0x40 [sfc] sriov_numvfs_store+0xfe/0x140 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k allocated by task 6771 on cpu 10 at 3137.860196s: pci_alloc_dev+0x21/0x60 pci_iov_add_virtfn+0x2a2/0x320 sriov_enable+0x212/0x3e0 efx_ef10_sriov_configure+0x67/0x80 [sfc] efx_pci_sriov_configure+0x24/0x40 [sfc] sriov_numvfs_store+0xba/0x140 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae freed by task 6771 on cpu 12 at 3170.991309s: device_release+0x34/0x90 kobject_cleanup+0x3a/0x130 pci_iov_remove_virtfn+0xd9/0x120 sriov_disable+0x30/0xe0 efx_ef10_pci_sriov_disable+0x57/0x70 [sfc] efx_pci_sriov_configure+0x24/0x40 [sfc] sriov_numvfs_store+0xfe/0x140 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in sfc SR-IOV path directly enables privilege escalation via dangling pointer dereference leading to arbitrary code execution or memory corruption from low-privileged sysfs writes.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free in the sfc driver's SR-IOV disabling by applying kernel patches that nullify the vf->pci_dev pointer before subsequent reads.
Implements runtime memory protections like KASLR, SMEP/SMAP, and stack canaries to hinder exploitation of the use-after-free dangling pointer dereference.
Restricts the kernel to least functionality by disabling unnecessary SR-IOV support on sfc network interfaces, eliminating the vulnerable configuration path via sysfs.