CVE-2022-48935: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block.
AI Analysis
Technical Summary
CVE-2022-48935 is a use-after-free (UAF) vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nf_tables flowtable hooks management. The vulnerability arises due to improper unregistration of flowtable hooks upon network namespace (netns) exit. The kernel fails to unregister these hooks before releasing them via nf_tables_flowtable_destroy(), leading to a situation where the hook core attempts to access freed memory, resulting in a use-after-free condition. This flaw is evidenced by kernel address sanitizer (KASAN) reports indicating reads from freed memory addresses during the execution of nf_hook_entries_grow(). The vulnerability is rooted in the lifecycle management of flowtable hooks: __nft_release_hook() calls nft_unregister_flowtable_net_hooks() to unregister hooks, but the subsequent cleanup and freeing of flowtable entries (both software and hardware) occur after a Read-Copy-Update (RCU) grace period. If the hooks are not properly unregistered before this cleanup, the kernel may access invalid memory, causing instability or potential exploitation. Exploiting this vulnerability could allow an attacker with the ability to manipulate netfilter flowtables—likely requiring local privileges or specific network namespace configurations—to trigger kernel memory corruption. This could lead to denial of service (kernel panic) or potentially privilege escalation if exploited in conjunction with other vulnerabilities. The affected versions correspond to specific Linux kernel commits identified by their hashes, indicating this is a recent and targeted fix. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernels utilizing the nf_tables framework for packet filtering and flow offloading, which is widely used in modern Linux distributions for firewalling and network traffic control.
Potential Impact
For European organizations, the impact of CVE-2022-48935 can be significant, particularly for those relying on Linux-based infrastructure for critical network functions such as firewalls, routers, and virtualized network environments. The vulnerability could lead to kernel crashes causing denial of service, disrupting business operations, especially in sectors like finance, telecommunications, and critical infrastructure where uptime and network security are paramount. Additionally, if combined with other vulnerabilities, it could facilitate privilege escalation attacks, potentially allowing attackers to gain unauthorized control over affected systems. This risk is heightened in multi-tenant environments such as cloud service providers and data centers prevalent in Europe, where network namespaces and containerization are extensively used. The lack of known exploits reduces immediate risk, but the complexity and critical nature of the kernel component involved necessitate prompt attention to prevent future exploitation. Furthermore, regulatory frameworks like GDPR impose strict requirements on data protection and system integrity, so any compromise or downtime could have legal and financial repercussions for European entities.
Mitigation Recommendations
To mitigate CVE-2022-48935, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from their distribution vendors. Given the kernel commit hashes provided, tracking vendor advisories for updated kernel packages is critical. 2) Implement strict access controls to limit who can manipulate netfilter configurations and network namespaces, reducing the attack surface. 3) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 4) Monitor kernel logs and system behavior for signs of instability or crashes related to netfilter operations, enabling early detection of exploitation attempts. 5) In containerized or virtualized environments, isolate network namespaces carefully and restrict capabilities that allow modification of flowtables. 6) Maintain an up-to-date inventory of Linux kernel versions in use across the organization to prioritize patching efforts. 7) Collaborate with Linux distribution vendors and security communities to stay informed about emerging exploits or additional mitigations related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2022-48935: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block.
AI-Powered Analysis
Technical Analysis
CVE-2022-48935 is a use-after-free (UAF) vulnerability identified in the Linux kernel's netfilter subsystem, specifically within the nf_tables flowtable hooks management. The vulnerability arises due to improper unregistration of flowtable hooks upon network namespace (netns) exit. The kernel fails to unregister these hooks before releasing them via nf_tables_flowtable_destroy(), leading to a situation where the hook core attempts to access freed memory, resulting in a use-after-free condition. This flaw is evidenced by kernel address sanitizer (KASAN) reports indicating reads from freed memory addresses during the execution of nf_hook_entries_grow(). The vulnerability is rooted in the lifecycle management of flowtable hooks: __nft_release_hook() calls nft_unregister_flowtable_net_hooks() to unregister hooks, but the subsequent cleanup and freeing of flowtable entries (both software and hardware) occur after a Read-Copy-Update (RCU) grace period. If the hooks are not properly unregistered before this cleanup, the kernel may access invalid memory, causing instability or potential exploitation. Exploiting this vulnerability could allow an attacker with the ability to manipulate netfilter flowtables—likely requiring local privileges or specific network namespace configurations—to trigger kernel memory corruption. This could lead to denial of service (kernel panic) or potentially privilege escalation if exploited in conjunction with other vulnerabilities. The affected versions correspond to specific Linux kernel commits identified by their hashes, indicating this is a recent and targeted fix. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernels utilizing the nf_tables framework for packet filtering and flow offloading, which is widely used in modern Linux distributions for firewalling and network traffic control.
Potential Impact
For European organizations, the impact of CVE-2022-48935 can be significant, particularly for those relying on Linux-based infrastructure for critical network functions such as firewalls, routers, and virtualized network environments. The vulnerability could lead to kernel crashes causing denial of service, disrupting business operations, especially in sectors like finance, telecommunications, and critical infrastructure where uptime and network security are paramount. Additionally, if combined with other vulnerabilities, it could facilitate privilege escalation attacks, potentially allowing attackers to gain unauthorized control over affected systems. This risk is heightened in multi-tenant environments such as cloud service providers and data centers prevalent in Europe, where network namespaces and containerization are extensively used. The lack of known exploits reduces immediate risk, but the complexity and critical nature of the kernel component involved necessitate prompt attention to prevent future exploitation. Furthermore, regulatory frameworks like GDPR impose strict requirements on data protection and system integrity, so any compromise or downtime could have legal and financial repercussions for European entities.
Mitigation Recommendations
To mitigate CVE-2022-48935, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from their distribution vendors. Given the kernel commit hashes provided, tracking vendor advisories for updated kernel packages is critical. 2) Implement strict access controls to limit who can manipulate netfilter configurations and network namespaces, reducing the attack surface. 3) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 4) Monitor kernel logs and system behavior for signs of instability or crashes related to netfilter operations, enabling early detection of exploitation attempts. 5) In containerized or virtualized environments, isolate network namespaces carefully and restrict capabilities that allow modification of flowtables. 6) Maintain an up-to-date inventory of Linux kernel versions in use across the organization to prioritize patching efforts. 7) Collaborate with Linux distribution vendors and security communities to stay informed about emerging exploits or additional mitigations related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.299Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6672
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:56:36 PM
Last updated: 8/13/2025, 12:49:56 PM
Views: 11
Related Threats
CVE-2025-9007: Buffer Overflow in Tenda CH22
HighCVE-2025-9006: Buffer Overflow in Tenda CH22
HighCVE-2025-9005: Information Exposure Through Error Message in mtons mblog
MediumCVE-2025-9004: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumCVE-2025-9003: Cross Site Scripting in D-Link DIR-818LW
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.