CVE-2022-49087: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix a race in rxrpc_exit_net() Current code can lead to the following race: CPU0 CPU1 rxrpc_exit_net() rxrpc_peer_keepalive_worker() if (rxnet->live) rxnet->live = false; del_timer_sync(&rxnet->peer_keepalive_timer); timer_reduce(&rxnet->peer_keepalive_timer, jiffies + delay); cancel_work_sync(&rxnet->peer_keepalive_work); rxrpc_exit_net() exits while peer_keepalive_timer is still armed, leading to use-after-free. syzbot report was: ODEBUG: free active (active state 0) object type: timer_list hint: rxrpc_peer_keepalive_timeout+0x0/0xb0 WARNING: CPU: 0 PID: 3660 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Modules linked in: CPU: 0 PID: 3660 Comm: kworker/u4:6 Not tainted 5.17.0-syzkaller-13993-g88e6c0207623 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 00 1c 26 8a 4c 89 ee 48 c7 c7 00 10 26 8a e8 b1 e7 28 05 <0f> 0b 83 05 15 eb c5 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffc9000353fb00 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: ffff888029196140 RSI: ffffffff815efad8 RDI: fffff520006a7f52 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ea4ae R11: 0000000000000000 R12: ffffffff89ce23e0 R13: ffffffff8a2614e0 R14: ffffffff816628c0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1f2908924 CR3: 0000000043720000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __debug_check_no_obj_freed lib/debugobjects.c:992 [inline] debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1023 kfree+0xd6/0x310 mm/slab.c:3809 ops_free_list.part.0+0x119/0x370 net/core/net_namespace.c:176 ops_free_list net/core/net_namespace.c:174 [inline] cleanup_net+0x591/0xb00 net/core/net_namespace.c:598 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK>
AI Analysis
Technical Summary
CVE-2022-49087 is a high-severity vulnerability in the Linux kernel's rxrpc subsystem, specifically involving a race condition in the rxrpc_exit_net() function. The vulnerability arises due to improper synchronization between the network namespace cleanup function rxrpc_exit_net() and the peer keepalive worker thread rxrpc_peer_keepalive_worker(). The race condition occurs when rxrpc_exit_net() sets the rxnet->live flag to false and deletes the peer_keepalive_timer while the peer_keepalive_worker may still be accessing or modifying the timer. This leads to a use-after-free condition where the timer object is accessed after it has been freed, potentially causing kernel crashes or arbitrary code execution. The issue was identified through syzbot fuzzing reports, which detected freeing of active timer objects and kernel warnings related to debug objects. The vulnerability is classified under CWE-416 (Use After Free) and affects multiple Linux kernel versions identified by the commit hash ace45bec6d77bc061c3c3d8ad99e298ea9800c2b. The CVSS 3.1 base score is 7.8, reflecting a high severity with local attack vector, low attack complexity, requiring privileges, no user interaction, and impacting confidentiality, integrity, and availability. Exploitation requires local privileges but can lead to significant kernel-level compromise. No known exploits in the wild have been reported yet. The vulnerability impacts the Linux kernel's network namespace cleanup process, which is critical for containerized and virtualized environments that heavily rely on network namespaces. The race condition can be triggered during network namespace teardown, potentially allowing attackers with local access to cause denial of service or escalate privileges by executing arbitrary code in kernel space.
Potential Impact
For European organizations, the impact of CVE-2022-49087 can be significant, especially for those relying on Linux-based infrastructure, including servers, cloud environments, and container orchestration platforms such as Kubernetes. Many European enterprises and service providers use Linux extensively for critical applications and network services. The vulnerability could allow an attacker with local access—such as a malicious insider, compromised user account, or attacker exploiting another vulnerability—to cause kernel crashes leading to denial of service or potentially escalate privileges to gain full control over affected systems. This poses risks to data confidentiality, integrity, and availability. Given the widespread use of Linux in European data centers, telecom infrastructure, and government systems, exploitation could disrupt essential services and lead to data breaches or operational downtime. The vulnerability is particularly relevant for organizations using network namespaces for container isolation, common in DevOps and cloud-native deployments. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once patches are widely deployed. Therefore, European organizations must prioritize patching and mitigation to protect critical infrastructure and sensitive data.
Mitigation Recommendations
1. Apply official Linux kernel patches that address CVE-2022-49087 as soon as they become available from trusted sources or Linux distribution vendors. 2. For environments using containerization or network namespaces, carefully schedule kernel updates to minimize disruption and ensure compatibility. 3. Implement strict access controls to limit local user privileges, reducing the risk that an attacker can trigger the race condition. 4. Monitor kernel logs and system behavior for signs of crashes or anomalies related to rxrpc or network namespace cleanup activities. 5. Use kernel hardening features such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and seccomp filters to reduce exploitation likelihood. 6. Employ runtime security tools that can detect use-after-free or memory corruption attempts in kernel space. 7. In multi-tenant or cloud environments, isolate workloads and enforce strict tenant separation to prevent lateral movement by attackers with local access. 8. Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation. 9. Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patch releases and exploit developments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49087: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix a race in rxrpc_exit_net() Current code can lead to the following race: CPU0 CPU1 rxrpc_exit_net() rxrpc_peer_keepalive_worker() if (rxnet->live) rxnet->live = false; del_timer_sync(&rxnet->peer_keepalive_timer); timer_reduce(&rxnet->peer_keepalive_timer, jiffies + delay); cancel_work_sync(&rxnet->peer_keepalive_work); rxrpc_exit_net() exits while peer_keepalive_timer is still armed, leading to use-after-free. syzbot report was: ODEBUG: free active (active state 0) object type: timer_list hint: rxrpc_peer_keepalive_timeout+0x0/0xb0 WARNING: CPU: 0 PID: 3660 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Modules linked in: CPU: 0 PID: 3660 Comm: kworker/u4:6 Not tainted 5.17.0-syzkaller-13993-g88e6c0207623 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 00 1c 26 8a 4c 89 ee 48 c7 c7 00 10 26 8a e8 b1 e7 28 05 <0f> 0b 83 05 15 eb c5 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffc9000353fb00 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: ffff888029196140 RSI: ffffffff815efad8 RDI: fffff520006a7f52 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ea4ae R11: 0000000000000000 R12: ffffffff89ce23e0 R13: ffffffff8a2614e0 R14: ffffffff816628c0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1f2908924 CR3: 0000000043720000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __debug_check_no_obj_freed lib/debugobjects.c:992 [inline] debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1023 kfree+0xd6/0x310 mm/slab.c:3809 ops_free_list.part.0+0x119/0x370 net/core/net_namespace.c:176 ops_free_list net/core/net_namespace.c:174 [inline] cleanup_net+0x591/0xb00 net/core/net_namespace.c:598 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2022-49087 is a high-severity vulnerability in the Linux kernel's rxrpc subsystem, specifically involving a race condition in the rxrpc_exit_net() function. The vulnerability arises due to improper synchronization between the network namespace cleanup function rxrpc_exit_net() and the peer keepalive worker thread rxrpc_peer_keepalive_worker(). The race condition occurs when rxrpc_exit_net() sets the rxnet->live flag to false and deletes the peer_keepalive_timer while the peer_keepalive_worker may still be accessing or modifying the timer. This leads to a use-after-free condition where the timer object is accessed after it has been freed, potentially causing kernel crashes or arbitrary code execution. The issue was identified through syzbot fuzzing reports, which detected freeing of active timer objects and kernel warnings related to debug objects. The vulnerability is classified under CWE-416 (Use After Free) and affects multiple Linux kernel versions identified by the commit hash ace45bec6d77bc061c3c3d8ad99e298ea9800c2b. The CVSS 3.1 base score is 7.8, reflecting a high severity with local attack vector, low attack complexity, requiring privileges, no user interaction, and impacting confidentiality, integrity, and availability. Exploitation requires local privileges but can lead to significant kernel-level compromise. No known exploits in the wild have been reported yet. The vulnerability impacts the Linux kernel's network namespace cleanup process, which is critical for containerized and virtualized environments that heavily rely on network namespaces. The race condition can be triggered during network namespace teardown, potentially allowing attackers with local access to cause denial of service or escalate privileges by executing arbitrary code in kernel space.
Potential Impact
For European organizations, the impact of CVE-2022-49087 can be significant, especially for those relying on Linux-based infrastructure, including servers, cloud environments, and container orchestration platforms such as Kubernetes. Many European enterprises and service providers use Linux extensively for critical applications and network services. The vulnerability could allow an attacker with local access—such as a malicious insider, compromised user account, or attacker exploiting another vulnerability—to cause kernel crashes leading to denial of service or potentially escalate privileges to gain full control over affected systems. This poses risks to data confidentiality, integrity, and availability. Given the widespread use of Linux in European data centers, telecom infrastructure, and government systems, exploitation could disrupt essential services and lead to data breaches or operational downtime. The vulnerability is particularly relevant for organizations using network namespaces for container isolation, common in DevOps and cloud-native deployments. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once patches are widely deployed. Therefore, European organizations must prioritize patching and mitigation to protect critical infrastructure and sensitive data.
Mitigation Recommendations
1. Apply official Linux kernel patches that address CVE-2022-49087 as soon as they become available from trusted sources or Linux distribution vendors. 2. For environments using containerization or network namespaces, carefully schedule kernel updates to minimize disruption and ensure compatibility. 3. Implement strict access controls to limit local user privileges, reducing the risk that an attacker can trigger the race condition. 4. Monitor kernel logs and system behavior for signs of crashes or anomalies related to rxrpc or network namespace cleanup activities. 5. Use kernel hardening features such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and seccomp filters to reduce exploitation likelihood. 6. Employ runtime security tools that can detect use-after-free or memory corruption attempts in kernel space. 7. In multi-tenant or cloud environments, isolate workloads and enforce strict tenant separation to prevent lateral movement by attackers with local access. 8. Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation. 9. Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about patch releases and exploit developments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.248Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6aec
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/3/2025, 3:27:45 AM
Last updated: 8/7/2025, 6:59:09 AM
Views: 11
Related Threats
CVE-2025-2713: CWE-269 Improper Privilege Management in Google gVisor
MediumCVE-2025-8916: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-8914: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in WellChoose Organization Portal System
HighCVE-2025-8913: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in WellChoose Organization Portal System
CriticalCVE-2025-8912: CWE-36 Absolute Path Traversal in WellChoose Organization Portal System
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.