CVE-2022-49014: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done.
AI Analysis
Technical Summary
CVE-2022-49014 is a use-after-free vulnerability identified in the Linux kernel's TUN (network tunnel) driver, specifically within the tun_detach() function. The issue arises due to improper handling of reference counts on a struct net object. In the vulnerable code path, the function sock_put() is called prematurely, dropping the last reference count on the struct net object before all necessary accesses are completed. Subsequently, notifier_call_chain(), invoked from netdev_state_change(), attempts to access this freed struct net, leading to a use-after-free condition. This vulnerability was discovered and reported by syzbot, a kernel fuzzing tool, and manifests as a kernel address sanitizer (KASAN) detected use-after-free error. The kernel call trace shows that the error occurs during the closing of a TUN character device file descriptor, which triggers tun_chr_close() and eventually tun_detach(). The root cause is the premature decrement of the reference count on the network namespace object, which leads to a dangling pointer dereference. The patch fixes the issue by deferring the call to sock_put() until after all accesses to the struct net have been completed, ensuring the object remains valid during notifier calls. This vulnerability affects Linux kernel versions prior to the fix and is relevant to systems using the TUN/TAP virtual network interface driver, commonly used for VPNs, container networking, and virtualized environments. No known exploits are reported in the wild as of the publication date. No CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected TUN driver versions. Since TUN/TAP interfaces are widely used in VPN solutions, container orchestration platforms (e.g., Kubernetes), and virtualized network environments, exploitation could lead to kernel memory corruption. The use-after-free condition can potentially be leveraged by a local attacker or compromised process to cause a denial of service (kernel crash) or, in a worst-case scenario, escalate privileges by executing arbitrary code in kernel space. This could compromise confidentiality, integrity, and availability of critical systems. Given the prevalence of Linux in European enterprise servers, cloud infrastructure, and telecommunications equipment, the vulnerability could impact a broad range of sectors including finance, healthcare, government, and critical infrastructure. The lack of known exploits reduces immediate risk, but the kernel-level nature of the flaw and its presence in foundational networking components warrant prompt remediation to prevent future exploitation. The vulnerability also affects cloud providers and virtualized environments widely used in Europe, potentially impacting multi-tenant infrastructure and service providers.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, they should apply the official Linux kernel patches that reorder the sock_put() call to occur after all struct net accesses in tun_detach(). For environments where immediate patching is not feasible, organizations should restrict access to TUN/TAP devices to trusted users only and monitor for unusual kernel crashes or suspicious activity related to network device operations. Employing kernel address sanitizer (KASAN) or similar runtime memory error detection tools in testing environments can help identify attempts to exploit this vulnerability. Additionally, organizations should audit container and virtualization platforms to ensure underlying host kernels are updated. Network segmentation and strict access controls around VPN and container networking components can reduce the attack surface. Finally, maintaining robust incident detection and response capabilities to quickly identify and remediate kernel-level compromises is critical.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2022-49014: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done.
AI-Powered Analysis
Technical Analysis
CVE-2022-49014 is a use-after-free vulnerability identified in the Linux kernel's TUN (network tunnel) driver, specifically within the tun_detach() function. The issue arises due to improper handling of reference counts on a struct net object. In the vulnerable code path, the function sock_put() is called prematurely, dropping the last reference count on the struct net object before all necessary accesses are completed. Subsequently, notifier_call_chain(), invoked from netdev_state_change(), attempts to access this freed struct net, leading to a use-after-free condition. This vulnerability was discovered and reported by syzbot, a kernel fuzzing tool, and manifests as a kernel address sanitizer (KASAN) detected use-after-free error. The kernel call trace shows that the error occurs during the closing of a TUN character device file descriptor, which triggers tun_chr_close() and eventually tun_detach(). The root cause is the premature decrement of the reference count on the network namespace object, which leads to a dangling pointer dereference. The patch fixes the issue by deferring the call to sock_put() until after all accesses to the struct net have been completed, ensuring the object remains valid during notifier calls. This vulnerability affects Linux kernel versions prior to the fix and is relevant to systems using the TUN/TAP virtual network interface driver, commonly used for VPNs, container networking, and virtualized environments. No known exploits are reported in the wild as of the publication date. No CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected TUN driver versions. Since TUN/TAP interfaces are widely used in VPN solutions, container orchestration platforms (e.g., Kubernetes), and virtualized network environments, exploitation could lead to kernel memory corruption. The use-after-free condition can potentially be leveraged by a local attacker or compromised process to cause a denial of service (kernel crash) or, in a worst-case scenario, escalate privileges by executing arbitrary code in kernel space. This could compromise confidentiality, integrity, and availability of critical systems. Given the prevalence of Linux in European enterprise servers, cloud infrastructure, and telecommunications equipment, the vulnerability could impact a broad range of sectors including finance, healthcare, government, and critical infrastructure. The lack of known exploits reduces immediate risk, but the kernel-level nature of the flaw and its presence in foundational networking components warrant prompt remediation to prevent future exploitation. The vulnerability also affects cloud providers and virtualized environments widely used in Europe, potentially impacting multi-tenant infrastructure and service providers.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, they should apply the official Linux kernel patches that reorder the sock_put() call to occur after all struct net accesses in tun_detach(). For environments where immediate patching is not feasible, organizations should restrict access to TUN/TAP devices to trusted users only and monitor for unusual kernel crashes or suspicious activity related to network device operations. Employing kernel address sanitizer (KASAN) or similar runtime memory error detection tools in testing environments can help identify attempts to exploit this vulnerability. Additionally, organizations should audit container and virtualization platforms to ensure underlying host kernels are updated. Network segmentation and strict access controls around VPN and container networking components can reduce the attack surface. Finally, maintaining robust incident detection and response capabilities to quickly identify and remediate kernel-level compromises is critical.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-22T01:27:53.645Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6905
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 1:11:40 AM
Last updated: 8/16/2025, 1:57:53 AM
Views: 14
Related Threats
CVE-2025-7221: CWE-285 Improper Authorization in givewp GiveWP – Donation Plugin and Fundraising Platform
MediumCVE-2025-9305: SQL Injection in SourceCodester Online Bank Management System
MediumCVE-2025-9304: SQL Injection in SourceCodester Online Bank Management System
MediumCVE-2025-55297: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in espressif esp-idf
MediumCVE-2025-53251: CWE-434 Unrestricted Upload of File with Dangerous Type in An-Themes Pin WP
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.