CVE-2022-49086: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix leak of nested actions While parsing user-provided actions, openvswitch module may dynamically allocate memory and store pointers in the internal copy of the actions. So this memory has to be freed while destroying the actions. Currently there are only two such actions: ct() and set(). However, there are many actions that can hold nested lists of actions and ovs_nla_free_flow_actions() just jumps over them leaking the memory. For example, removal of the flow with the following actions will lead to a leak of the memory allocated by nf_ct_tmpl_alloc(): actions:clone(ct(commit),0) Non-freed set() action may also leak the 'dst' structure for the tunnel info including device references. Under certain conditions with a high rate of flow rotation that may cause significant memory leak problem (2MB per second in reporter's case). The problem is also hard to mitigate, because the user doesn't have direct control over the datapath flows generated by OVS. Fix that by iterating over all the nested actions and freeing everything that needs to be freed recursively. New build time assertion should protect us from this problem if new actions will be added in the future. Unfortunately, openvswitch module doesn't use NLA_F_NESTED, so all attributes has to be explicitly checked. sample() and clone() actions are mixing extra attributes into the user-provided action list. That prevents some code generalization too.
AI Analysis
Technical Summary
CVE-2022-49086 is a memory leak vulnerability in the Linux kernel's Open vSwitch (OVS) module, specifically related to the handling of nested actions within flow rules. Open vSwitch is a multilayer virtual switch commonly used in Linux environments for network automation and virtualization. The vulnerability arises because when parsing user-provided actions, the OVS module dynamically allocates memory for certain nested actions (notably ct() and set()) but fails to properly free this memory upon flow destruction. The function ovs_nla_free_flow_actions() responsible for cleaning up actions skips nested lists of actions, leading to memory leaks. For example, flows containing actions like clone(ct(commit),0) cause memory allocated by nf_ct_tmpl_alloc() to leak. Similarly, the set() action can leak tunnel-related structures including device references. Under conditions of high flow rotation rates, this leak can accumulate rapidly (reportedly up to 2MB per second), potentially exhausting system memory over time. The root cause is that OVS does not use the NLA_F_NESTED flag for attributes, requiring explicit checks for nested actions, and some actions mix extra attributes complicating cleanup. The fix involves recursively iterating over all nested actions to free allocated memory properly and adding build-time assertions to prevent future omissions. This vulnerability does not appear to have known exploits in the wild yet and affects specific Linux kernel versions identified by commit hashes. No CVSS score has been assigned to this vulnerability.
Potential Impact
For European organizations, especially those relying on Linux-based infrastructure with Open vSwitch for network virtualization, cloud deployments, or container orchestration, this vulnerability can lead to significant memory leaks under high network flow churn. Over time, this can degrade system performance, cause service instability, or lead to denial of service due to resource exhaustion. Critical infrastructure providers, cloud service operators, and enterprises with large-scale virtualized networks are particularly at risk. Since OVS is widely used in data centers and cloud environments, memory leaks can affect network throughput and reliability, potentially impacting business continuity. Although this vulnerability does not directly enable code execution or privilege escalation, the resulting denial of service conditions can disrupt critical services. The lack of user control over datapath flows complicates mitigation, increasing operational risk. Additionally, memory leaks involving tunnel device references may affect network connectivity and routing within virtualized environments.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring the Open vSwitch module includes the recursive freeing of nested actions. For environments where immediate patching is not feasible, monitoring memory usage of OVS-related processes and network flow rates can help detect abnormal leaks early. Limiting excessive flow churn or optimizing flow expiration policies may reduce leak impact. Network administrators should audit OVS configurations to minimize complex nested actions usage, particularly clone(ct()) and set() actions. Employing container or VM isolation can contain potential service degradation. Additionally, organizations should engage with Linux distribution vendors to confirm patch availability and deployment timelines. Implementing proactive resource monitoring and alerting for memory anomalies in network components will aid in early detection and response. Finally, reviewing network virtualization architectures to reduce reliance on vulnerable OVS versions can be a long-term strategy.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49086: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix leak of nested actions While parsing user-provided actions, openvswitch module may dynamically allocate memory and store pointers in the internal copy of the actions. So this memory has to be freed while destroying the actions. Currently there are only two such actions: ct() and set(). However, there are many actions that can hold nested lists of actions and ovs_nla_free_flow_actions() just jumps over them leaking the memory. For example, removal of the flow with the following actions will lead to a leak of the memory allocated by nf_ct_tmpl_alloc(): actions:clone(ct(commit),0) Non-freed set() action may also leak the 'dst' structure for the tunnel info including device references. Under certain conditions with a high rate of flow rotation that may cause significant memory leak problem (2MB per second in reporter's case). The problem is also hard to mitigate, because the user doesn't have direct control over the datapath flows generated by OVS. Fix that by iterating over all the nested actions and freeing everything that needs to be freed recursively. New build time assertion should protect us from this problem if new actions will be added in the future. Unfortunately, openvswitch module doesn't use NLA_F_NESTED, so all attributes has to be explicitly checked. sample() and clone() actions are mixing extra attributes into the user-provided action list. That prevents some code generalization too.
AI-Powered Analysis
Technical Analysis
CVE-2022-49086 is a memory leak vulnerability in the Linux kernel's Open vSwitch (OVS) module, specifically related to the handling of nested actions within flow rules. Open vSwitch is a multilayer virtual switch commonly used in Linux environments for network automation and virtualization. The vulnerability arises because when parsing user-provided actions, the OVS module dynamically allocates memory for certain nested actions (notably ct() and set()) but fails to properly free this memory upon flow destruction. The function ovs_nla_free_flow_actions() responsible for cleaning up actions skips nested lists of actions, leading to memory leaks. For example, flows containing actions like clone(ct(commit),0) cause memory allocated by nf_ct_tmpl_alloc() to leak. Similarly, the set() action can leak tunnel-related structures including device references. Under conditions of high flow rotation rates, this leak can accumulate rapidly (reportedly up to 2MB per second), potentially exhausting system memory over time. The root cause is that OVS does not use the NLA_F_NESTED flag for attributes, requiring explicit checks for nested actions, and some actions mix extra attributes complicating cleanup. The fix involves recursively iterating over all nested actions to free allocated memory properly and adding build-time assertions to prevent future omissions. This vulnerability does not appear to have known exploits in the wild yet and affects specific Linux kernel versions identified by commit hashes. No CVSS score has been assigned to this vulnerability.
Potential Impact
For European organizations, especially those relying on Linux-based infrastructure with Open vSwitch for network virtualization, cloud deployments, or container orchestration, this vulnerability can lead to significant memory leaks under high network flow churn. Over time, this can degrade system performance, cause service instability, or lead to denial of service due to resource exhaustion. Critical infrastructure providers, cloud service operators, and enterprises with large-scale virtualized networks are particularly at risk. Since OVS is widely used in data centers and cloud environments, memory leaks can affect network throughput and reliability, potentially impacting business continuity. Although this vulnerability does not directly enable code execution or privilege escalation, the resulting denial of service conditions can disrupt critical services. The lack of user control over datapath flows complicates mitigation, increasing operational risk. Additionally, memory leaks involving tunnel device references may affect network connectivity and routing within virtualized environments.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, ensuring the Open vSwitch module includes the recursive freeing of nested actions. For environments where immediate patching is not feasible, monitoring memory usage of OVS-related processes and network flow rates can help detect abnormal leaks early. Limiting excessive flow churn or optimizing flow expiration policies may reduce leak impact. Network administrators should audit OVS configurations to minimize complex nested actions usage, particularly clone(ct()) and set() actions. Employing container or VM isolation can contain potential service degradation. Additionally, organizations should engage with Linux distribution vendors to confirm patch availability and deployment timelines. Implementing proactive resource monitoring and alerting for memory anomalies in network components will aid in early detection and response. Finally, reviewing network virtualization architectures to reduce reliance on vulnerable OVS versions can be a long-term strategy.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.248Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6ae8
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 1:59:05 AM
Last updated: 7/31/2025, 4:35:45 PM
Views: 14
Related Threats
CVE-2025-8925: SQL Injection in itsourcecode Sports Management System
MediumCVE-2025-8924: SQL Injection in Campcodes Online Water Billing System
MediumCVE-2025-43989: n/a
UnknownCVE-2025-8923: SQL Injection in code-projects Job Diary
MediumCVE-2025-8922: SQL Injection in code-projects Job Diary
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.