CVE-2022-49622
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: avoid skb access on nf_stolen
When verdict is NF_STOLEN, the skb might have been freed.
When tracing is enabled, this can result in a use-after-free:
- access to skb->nf_trace
- access to skb->mark
- computation of trace id
- dump of packet payload
To avoid 1, keep a cached copy of skb->nf_trace in the trace state struct. Refresh this copy whenever verdict is != STOLEN.
Avoid 2 by skipping skb->mark access if verdict is STOLEN.
3 is avoided by precomputing the trace id.
Only dump the packet when verdict is not "STOLEN".
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 5efa0fc6d7f7930b18801f07cefae8eeacd6ac02 < 0016d5d46d7440729a3132f61a8da3bf7f84e2ba | affected |
| Linux | Linux | 5efa0fc6d7f7930b18801f07cefae8eeacd6ac02 < e34b9ed96ce3b06c79bf884009b16961ca478f87 | affected |
| Linux | Linux | 4.10 | affected |
| Linux | Linux | 0 < 4.10 | unaffected |
| Linux | Linux | 5.18.13 <= 5.18.* | unaffected |
| Linux | Linux | 5.19 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://git.kernel.org/stable/c/0016d5d46d7440729a3132f61a8da3bf7f84e2ba
- https://git.kernel.org/stable/c/e34b9ed96ce3b06c79bf884009b16961ca478f87
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.