Cyber Resilience

CVE-2022-49626

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 3.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49626 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2022-49626 is a use-after-free vulnerability in the Linux kernel's sfc driver, specifically during the disabling of Single Root I/O Virtualization (SR-IOV). The issue occurs when freeing virtual function (VF) resources: the vf->pci_dev pointer is freed by pci_disable_sriov but later read in efx_ef10_sriov_free_vf_vswitching, as detected by the kfence slab debugger. It affects systems using Solarflare (sfc) Ethernet controllers configured for SR-IOV, with the reproducer involving enabling SR-IOV via echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs followed by disabling it via echo 0.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction, as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation is triggered through sysfs writes to control SR-IOV on an affected network interface, potentially leading to high-impact confidentiality, integrity, and availability violations, such as kernel memory corruption, arbitrary code execution, or system crashes via the dangling pointer dereference.

Kernel stable patch commits referenced in advisories, such as those at https://git.kernel.org/stable/c/3199e34912d84cdfb8a93a984c5ae5c73fb13e84 and others, mitigate the issue by setting the vf->pci_dev pointer to NULL at release time, preventing the subsequent invalid read during VF vport and vswitching cleanup. Affected users should apply these upstream patches to vulnerable kernel versions supporting the sfc driver.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: sfc: fix use after free when disabling sriov Use after free is detected by kfence when disabling sriov. What was read after being freed was vf->pci_dev: it was freed from…

more

pci_disable_sriov and later read in efx_ef10_sriov_free_vf_vports, called from efx_ef10_sriov_free_vf_vswitching. Set the pointer to NULL at release time to not trying to read it later. Reproducer and dmesg log (note that kfence doesn't detect it every time): $ echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs $ echo 0 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224): efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] efx_ef10_pci_sriov_disable+0x38/0x70 [sfc] efx_pci_sriov_configure+0x24/0x40 [sfc] sriov_numvfs_store+0xfe/0x140 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k allocated by task 6771 on cpu 10 at 3137.860196s: pci_alloc_dev+0x21/0x60 pci_iov_add_virtfn+0x2a2/0x320 sriov_enable+0x212/0x3e0 efx_ef10_sriov_configure+0x67/0x80 [sfc] efx_pci_sriov_configure+0x24/0x40 [sfc] sriov_numvfs_store+0xba/0x140 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae freed by task 6771 on cpu 12 at 3170.991309s: device_release+0x34/0x90 kobject_cleanup+0x3a/0x130 pci_iov_remove_virtfn+0xd9/0x120 sriov_disable+0x30/0xe0 efx_ef10_pci_sriov_disable+0x57/0x70 [sfc] efx_pci_sriov_configure+0x24/0x40 [sfc] sriov_numvfs_store+0xfe/0x140 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in sfc SR-IOV path directly enables privilege escalation via dangling pointer dereference leading to arbitrary code execution or memory corruption from low-privileged sysfs writes.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · 4.2 — 4.9.324 · 4.10 — 4.14.289 · 4.15 — 4.19.253

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free in the sfc driver's SR-IOV disabling by applying kernel patches that nullify the vf->pci_dev pointer before subsequent reads.

prevent

Implements runtime memory protections like KASLR, SMEP/SMAP, and stack canaries to hinder exploitation of the use-after-free dangling pointer dereference.

prevent

Restricts the kernel to least functionality by disabling unnecessary SR-IOV support on sfc network interfaces, eliminating the vulnerable configuration path via sysfs.

References