CVE-2022-48912: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: fix use-after-free in __nf_register_net_hook() We must not dereference @new_hooks after nf_hook_mutex has been released, because other threads might have freed our allocated hooks already. BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline] BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430 CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] hooks_validate net/netfilter/core.c:171 [inline] __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218 synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038 check_target net/ipv6/netfilter/ip6_tables.c:530 [inline] find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573 translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline] do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024 rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084 __sys_setsockopt+0x2db/0x610 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f65a1ace7d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130 R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000 </TASK> The buggy address belongs to the page: page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 __alloc_pages_node include/linux/gfp.h:572 [inline] alloc_pages_node include/linux/gfp.h:595 [inline] kmalloc_large_node+0x62/0x130 mm/slub.c:4438 __kmalloc_node+0x35a/0x4a0 mm/slub. ---truncated---
AI Analysis
Technical Summary
CVE-2022-48912 is a use-after-free vulnerability in the Linux kernel's netfilter subsystem, specifically in the __nf_register_net_hook() function. Netfilter is a critical component responsible for packet filtering, network address translation, and other packet mangling operations within the Linux kernel. The vulnerability arises because the code dereferences a pointer to new_hooks after releasing the nf_hook_mutex lock, which can lead to a situation where other threads have already freed the allocated hooks. This results in a use-after-free condition, which is a type of memory corruption bug where the kernel accesses memory that has already been freed. The vulnerability was detected by Kernel Address Sanitizer (KASAN), which reported multiple use-after-free bugs in the netfilter core code paths. The stack trace indicates the issue occurs during the registration of network hooks and involves IPv6 SYN proxy functionality and socket option settings. Exploiting this vulnerability could allow an attacker with the ability to register netfilter hooks or manipulate socket options to cause kernel memory corruption, potentially leading to system crashes (denial of service) or privilege escalation by executing arbitrary code within the kernel context. The vulnerability affects Linux kernel versions prior to the patch that fixed the dereference timing of new_hooks, and it is present in kernels used in various environments including cloud platforms such as Google Compute Engine. No known exploits are currently reported in the wild, but the complexity of exploitation depends on the attacker's ability to interact with netfilter hooks and socket options. Given the kernel-level nature of the bug, successful exploitation could have severe consequences.
Potential Impact
For European organizations, the impact of CVE-2022-48912 could be significant, especially for those relying on Linux-based infrastructure for critical services such as web hosting, cloud computing, telecommunications, and industrial control systems. The vulnerability could be exploited to cause denial of service by crashing affected systems or, more critically, to gain elevated privileges on compromised hosts. This could lead to unauthorized access to sensitive data, disruption of services, and lateral movement within networks. Organizations operating data centers or cloud services that use Linux kernels vulnerable to this issue are at risk of targeted attacks. The use of netfilter for firewalling and packet filtering means that network security controls themselves could be compromised or bypassed. Additionally, the vulnerability affects IPv6-related netfilter components, which are increasingly deployed in European networks due to IPv6 adoption mandates and policies. The potential for privilege escalation also raises concerns for multi-tenant environments common in European cloud providers, where isolation between tenants is paramount. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the public disclosure. Therefore, European organizations should prioritize patching and mitigation to prevent exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the use-after-free in __nf_register_net_hook() as soon as they become available from trusted Linux distribution vendors or kernel maintainers. 2. For organizations using custom or embedded Linux kernels, backport the patch to affected kernel versions to ensure protection. 3. Restrict access to interfaces that allow registration of netfilter hooks and manipulation of socket options to trusted administrators only, minimizing the attack surface. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts related to netfilter or socket option anomalies. 6. Use mandatory access control frameworks (e.g., SELinux, AppArmor) to limit the capabilities of processes that can interact with netfilter hooks. 7. In cloud environments, leverage hypervisor-level isolation and network segmentation to reduce the impact of a compromised host. 8. Regularly update and audit firewall and network filtering rules to ensure they do not inadvertently expose vulnerable interfaces.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-48912: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: fix use-after-free in __nf_register_net_hook() We must not dereference @new_hooks after nf_hook_mutex has been released, because other threads might have freed our allocated hooks already. BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline] BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430 CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] hooks_validate net/netfilter/core.c:171 [inline] __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218 synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038 check_target net/ipv6/netfilter/ip6_tables.c:530 [inline] find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573 translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline] do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024 rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084 __sys_setsockopt+0x2db/0x610 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f65a1ace7d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130 R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000 </TASK> The buggy address belongs to the page: page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 __alloc_pages_node include/linux/gfp.h:572 [inline] alloc_pages_node include/linux/gfp.h:595 [inline] kmalloc_large_node+0x62/0x130 mm/slub.c:4438 __kmalloc_node+0x35a/0x4a0 mm/slub. ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-48912 is a use-after-free vulnerability in the Linux kernel's netfilter subsystem, specifically in the __nf_register_net_hook() function. Netfilter is a critical component responsible for packet filtering, network address translation, and other packet mangling operations within the Linux kernel. The vulnerability arises because the code dereferences a pointer to new_hooks after releasing the nf_hook_mutex lock, which can lead to a situation where other threads have already freed the allocated hooks. This results in a use-after-free condition, which is a type of memory corruption bug where the kernel accesses memory that has already been freed. The vulnerability was detected by Kernel Address Sanitizer (KASAN), which reported multiple use-after-free bugs in the netfilter core code paths. The stack trace indicates the issue occurs during the registration of network hooks and involves IPv6 SYN proxy functionality and socket option settings. Exploiting this vulnerability could allow an attacker with the ability to register netfilter hooks or manipulate socket options to cause kernel memory corruption, potentially leading to system crashes (denial of service) or privilege escalation by executing arbitrary code within the kernel context. The vulnerability affects Linux kernel versions prior to the patch that fixed the dereference timing of new_hooks, and it is present in kernels used in various environments including cloud platforms such as Google Compute Engine. No known exploits are currently reported in the wild, but the complexity of exploitation depends on the attacker's ability to interact with netfilter hooks and socket options. Given the kernel-level nature of the bug, successful exploitation could have severe consequences.
Potential Impact
For European organizations, the impact of CVE-2022-48912 could be significant, especially for those relying on Linux-based infrastructure for critical services such as web hosting, cloud computing, telecommunications, and industrial control systems. The vulnerability could be exploited to cause denial of service by crashing affected systems or, more critically, to gain elevated privileges on compromised hosts. This could lead to unauthorized access to sensitive data, disruption of services, and lateral movement within networks. Organizations operating data centers or cloud services that use Linux kernels vulnerable to this issue are at risk of targeted attacks. The use of netfilter for firewalling and packet filtering means that network security controls themselves could be compromised or bypassed. Additionally, the vulnerability affects IPv6-related netfilter components, which are increasingly deployed in European networks due to IPv6 adoption mandates and policies. The potential for privilege escalation also raises concerns for multi-tenant environments common in European cloud providers, where isolation between tenants is paramount. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the public disclosure. Therefore, European organizations should prioritize patching and mitigation to prevent exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the use-after-free in __nf_register_net_hook() as soon as they become available from trusted Linux distribution vendors or kernel maintainers. 2. For organizations using custom or embedded Linux kernels, backport the patch to affected kernel versions to ensure protection. 3. Restrict access to interfaces that allow registration of netfilter hooks and manipulation of socket options to trusted administrators only, minimizing the attack surface. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts related to netfilter or socket option anomalies. 6. Use mandatory access control frameworks (e.g., SELinux, AppArmor) to limit the capabilities of processes that can interact with netfilter hooks. 7. In cloud environments, leverage hypervisor-level isolation and network segmentation to reduce the impact of a compromised host. 8. Regularly update and audit firewall and network filtering rules to ensure they do not inadvertently expose vulnerable interfaces.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.294Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe65a7
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:41:09 PM
Last updated: 8/16/2025, 10:37:44 AM
Views: 16
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.