CVE-2022-49698
Published: 26 February 2025
Summary
CVE-2022-49698 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2022-49698 is a vulnerability in the Linux kernel's netfilter subsystem, specifically within the nft_numgen module's nft_ng_random_eval function. The issue arises from the use of prandom_u32, which can invoke smp_processor_id() in a preemptible user context, such as the local_out path, leading to a kernel BUG like "using smp_processor_id() in preemptible code." This affects Linux kernels prior to the application of the fix, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges (PR:L) can exploit this vulnerability by triggering the affected code path, for example, through nftables rules evaluated in a user process like nginx. Successful exploitation can result in high impacts on confidentiality, integrity, and availability, potentially causing kernel instability or crashes as indicated by the BUG trace involving check_preemption_disabled.
Mitigation is provided through kernel patches in stable repositories, which replace prandom_u32 with get_random_u32 to leverage the random driver and avoid per-cpu rnd_state updates in preemptible contexts. Key commits include 15cc30ac2a8d7185f8ebf97dd1ddd90a7c79783b, 6ce71f83f798be7e1ca68707fec449fbecb38852, b1fd94e704571f98b21027340eecf821b2bdffba, and d0906b0fffc9f19bc42708ca3e84e2089088386c, originally based on a patch from Pablo Neira.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54537
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: use get_random_u32 instead of prandom bh might occur while updating per-cpu rnd_state from user context, ie. local_out path. BUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725 caller is nft_ng_random_eval+0x24/0x54…
more
[nft_numgen] Call Trace: check_preemption_disabled+0xde/0xe0 nft_ng_random_eval+0x24/0x54 [nft_numgen] Use the random driver instead, this also avoids need for local prandom state. Moreover, prandom now uses the random driver since d4150779e60f ("random32: use real rng for non-deterministic randomness"). Based on earlier patch from Pablo Neira.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel bug in netfilter/nftables allows low-privileged user to trigger BUG/crash (OS-level DoS) via crafted nftables rules.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation of the kernel flaw in nft_ng_random_eval by applying patches directly prevents the preemption BUG from being triggered.
Prohibiting or restricting non-essential netfilter nft_numgen random functionality prevents local attackers from triggering the vulnerable code path.
Vulnerability scanning and monitoring identifies Linux kernels vulnerable to CVE-2022-49698 for prioritization of patching.