Cyber Resilience

CVE-2022-49698

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49698 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2022-49698 is a vulnerability in the Linux kernel's netfilter subsystem, specifically within the nft_numgen module's nft_ng_random_eval function. The issue arises from the use of prandom_u32, which can invoke smp_processor_id() in a preemptible user context, such as the local_out path, leading to a kernel BUG like "using smp_processor_id() in preemptible code." This affects Linux kernels prior to the application of the fix, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability by triggering the affected code path, for example, through nftables rules evaluated in a user process like nginx. Successful exploitation can result in high impacts on confidentiality, integrity, and availability, potentially causing kernel instability or crashes as indicated by the BUG trace involving check_preemption_disabled.

Mitigation is provided through kernel patches in stable repositories, which replace prandom_u32 with get_random_u32 to leverage the random driver and avoid per-cpu rnd_state updates in preemptible contexts. Key commits include 15cc30ac2a8d7185f8ebf97dd1ddd90a7c79783b, 6ce71f83f798be7e1ca68707fec449fbecb38852, b1fd94e704571f98b21027340eecf821b2bdffba, and d0906b0fffc9f19bc42708ca3e84e2089088386c, originally based on a patch from Pablo Neira.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: use get_random_u32 instead of prandom bh might occur while updating per-cpu rnd_state from user context, ie. local_out path. BUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725 caller is nft_ng_random_eval+0x24/0x54…

more

[nft_numgen] Call Trace: check_preemption_disabled+0xde/0xe0 nft_ng_random_eval+0x24/0x54 [nft_numgen] Use the random driver instead, this also avoids need for local prandom state. Moreover, prandom now uses the random driver since d4150779e60f ("random32: use real rng for non-deterministic randomness"). Based on earlier patch from Pablo Neira.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local kernel bug in netfilter/nftables allows low-privileged user to trigger BUG/crash (OS-level DoS) via crafted nftables rules.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23388Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-23459Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2026-31739Same product: Linux Linux Kernel
CVE-2022-49509Same product: Linux Linux Kernel
CVE-2022-49163Same product: Linux Linux Kernel
CVE-2024-56772Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.19 · 4.18 — 5.10.127 · 5.11 — 5.15.51 · 5.16 — 5.18.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation of the kernel flaw in nft_ng_random_eval by applying patches directly prevents the preemption BUG from being triggered.

prevent

Prohibiting or restricting non-essential netfilter nft_numgen random functionality prevents local attackers from triggering the vulnerable code path.

detect

Vulnerability scanning and monitoring identifies Linux kernels vulnerable to CVE-2022-49698 for prioritization of patching.

References