CVE-2022-49092: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix route with nexthop object delete warning FRR folks have hit a kernel warning[1] while deleting routes[2] which is caused by trying to delete a route pointing to a nexthop id without specifying nhid but matching on an interface. That is, a route is found but we hit a warning while matching it. The warning is from fib_info_nh() in include/net/nexthop.h because we run it on a fib_info with nexthop object. The call chain is: inet_rtm_delroute -> fib_table_delete -> fib_nh_match (called with a nexthop fib_info and also with fc_oif set thus calling fib_info_nh on the fib_info and triggering the warning). The fix is to not do any matching in that branch if the fi has a nexthop object because those are managed separately. I.e. we should match when deleting without nh spec and should fail when deleting a nexthop route with old-style nh spec because nexthop objects are managed separately, e.g.: $ ip r show 1.2.3.4/32 1.2.3.4 nhid 12 via 192.168.11.2 dev dummy0 $ ip r del 1.2.3.4/32 $ ip r del 1.2.3.4/32 nhid 12 <both should work> $ ip r del 1.2.3.4/32 dev dummy0 <should fail with ESRCH> [1] [ 523.462226] ------------[ cut here ]------------ [ 523.462230] WARNING: CPU: 14 PID: 22893 at include/net/nexthop.h:468 fib_nh_match+0x210/0x460 [ 523.462236] Modules linked in: dummy rpcsec_gss_krb5 xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_raw iptable_raw bpf_preload xt_statistic ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_mark nf_tables xt_nat veth nf_conntrack_netlink nfnetlink xt_addrtype br_netfilter overlay dm_crypt nfsv3 nfs fscache netfs vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack 8021q garp mrp ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bridge stp llc rfcomm snd_seq_dummy snd_hrtimer rpcrdma rdma_cm iw_cm ib_cm ib_core ip6table_filter xt_comment ip6_tables vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) qrtr bnep binfmt_misc xfs vfat fat squashfs loop nvidia_drm(POE) nvidia_modeset(POE) nvidia_uvm(POE) nvidia(POE) intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi btusb btrtl iwlmvm uvcvideo btbcm snd_hda_intel edac_mce_amd [ 523.462274] videobuf2_vmalloc videobuf2_memops btintel snd_intel_dspcfg videobuf2_v4l2 snd_intel_sdw_acpi bluetooth snd_usb_audio snd_hda_codec mac80211 snd_usbmidi_lib joydev snd_hda_core videobuf2_common kvm_amd snd_rawmidi snd_hwdep snd_seq videodev ccp snd_seq_device libarc4 ecdh_generic mc snd_pcm kvm iwlwifi snd_timer drm_kms_helper snd cfg80211 cec soundcore irqbypass rapl wmi_bmof i2c_piix4 rfkill k10temp pcspkr acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm zram ip_tables crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel nvme sp5100_tco r8169 nvme_core wmi ipmi_devintf ipmi_msghandler fuse [ 523.462300] CPU: 14 PID: 22893 Comm: ip Tainted: P OE 5.16.18-200.fc35.x86_64 #1 [ 523.462302] Hardware name: Micro-Star International Co., Ltd. MS-7C37/MPG X570 GAMING EDGE WIFI (MS-7C37), BIOS 1.C0 10/29/2020 [ 523.462303] RIP: 0010:fib_nh_match+0x210/0x460 [ 523.462304] Code: 7c 24 20 48 8b b5 90 00 00 00 e8 bb ee f4 ff 48 8b 7c 24 20 41 89 c4 e8 ee eb f4 ff 45 85 e4 0f 85 2e fe ff ff e9 4c ff ff ff <0f> 0b e9 17 ff ff ff 3c 0a 0f 85 61 fe ff ff 48 8b b5 98 00 00 00 [ 523.462306] RSP: 0018:ffffaa53d4d87928 EFLAGS: 00010286 [ 523.462307] RAX: 0000000000000000 RBX: ffffaa53d4d87a90 RCX: ffffaa53d4d87bb0 [ 523.462308] RDX: ffff9e3d2ee6be80 RSI: ffffaa53d4d87a90 RDI: ffffffff920ed380 [ 523.462309] RBP: ffff9e3d2ee6be80 R08: 0000000000000064 R09: 0000000000000000 [ 523.462310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000031 [ 523.462310] R13: 0000000000000020 R14: 0000000000000000 R15: ffff9e3d331054e0 [ 523.462311] FS: 00007f2455 ---truncated---
AI Analysis
Technical Summary
CVE-2022-49092 is a vulnerability identified in the Linux kernel's IPv4 networking stack, specifically related to route deletion operations involving nexthop objects. The issue arises when deleting routes that point to nexthop IDs without specifying the nexthop ID (nhid) but matching on an interface. This leads to a kernel warning triggered by the function fib_info_nh() in include/net/nexthop.h. The warning occurs because the code attempts to match a route using an outdated method that does not properly handle nexthop objects, which are managed separately in the kernel. The problem manifests as a warning during route deletion, potentially causing instability or unexpected behavior in network routing operations. The fix involves modifying the deletion logic to avoid matching routes with nexthop objects using the old-style interface matching, ensuring that deletion commands either specify the nexthop ID correctly or fail gracefully with an ESRCH error if the deletion parameters are incorrect. The vulnerability was observed in kernel version 5.16.18-200.fc35.x86_64 and involves complex interactions in the fib_table_delete and fib_nh_match call chain. Although no direct exploit has been reported, the kernel warning indicates a logic flaw that could be leveraged to cause denial of service or other network disruptions if exploited. The vulnerability affects Linux kernel versions identified by the commit hash 4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56 and similar builds. No CVSS score has been assigned yet, and no known exploits are in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions, especially those heavily reliant on advanced routing features such as nexthop objects. Network infrastructure devices, routers, and servers using Linux as their operating system could experience kernel warnings or crashes during route deletion operations, potentially leading to network instability or denial of service conditions. This could disrupt critical services, including enterprise networks, cloud infrastructure, and telecommunications systems. Organizations with complex routing configurations or those using FRRouting (FRR) or similar routing software that interacts with the Linux kernel's routing stack are particularly at risk. The impact could extend to data centers and service providers, affecting availability and reliability of network services. While no direct exploitation has been reported, the presence of kernel warnings and potential for improper route handling could be leveraged by attackers with local access or through crafted network configurations to degrade system performance or cause outages.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the issue relates to kernel-level route deletion logic, applying the latest stable kernel updates from trusted Linux distributions is critical. Network administrators should audit routing configurations to identify usage of nexthop objects and ensure that route deletion commands and scripts specify nexthop IDs correctly to avoid triggering the vulnerable code paths. Additionally, monitoring kernel logs for warnings related to fib_nh_match or nexthop route deletions can help detect attempts to exploit or inadvertently trigger the vulnerability. For environments using FRRouting or similar routing daemons, updating to versions compatible with patched kernels is recommended. In high-security or critical network environments, consider implementing additional network segmentation and access controls to limit the ability of unprivileged users or attackers to manipulate routing tables. Finally, maintain robust backup and recovery procedures to quickly restore network functionality in case of disruption.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-49092: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix route with nexthop object delete warning FRR folks have hit a kernel warning[1] while deleting routes[2] which is caused by trying to delete a route pointing to a nexthop id without specifying nhid but matching on an interface. That is, a route is found but we hit a warning while matching it. The warning is from fib_info_nh() in include/net/nexthop.h because we run it on a fib_info with nexthop object. The call chain is: inet_rtm_delroute -> fib_table_delete -> fib_nh_match (called with a nexthop fib_info and also with fc_oif set thus calling fib_info_nh on the fib_info and triggering the warning). The fix is to not do any matching in that branch if the fi has a nexthop object because those are managed separately. I.e. we should match when deleting without nh spec and should fail when deleting a nexthop route with old-style nh spec because nexthop objects are managed separately, e.g.: $ ip r show 1.2.3.4/32 1.2.3.4 nhid 12 via 192.168.11.2 dev dummy0 $ ip r del 1.2.3.4/32 $ ip r del 1.2.3.4/32 nhid 12 <both should work> $ ip r del 1.2.3.4/32 dev dummy0 <should fail with ESRCH> [1] [ 523.462226] ------------[ cut here ]------------ [ 523.462230] WARNING: CPU: 14 PID: 22893 at include/net/nexthop.h:468 fib_nh_match+0x210/0x460 [ 523.462236] Modules linked in: dummy rpcsec_gss_krb5 xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_raw iptable_raw bpf_preload xt_statistic ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_mark nf_tables xt_nat veth nf_conntrack_netlink nfnetlink xt_addrtype br_netfilter overlay dm_crypt nfsv3 nfs fscache netfs vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack 8021q garp mrp ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bridge stp llc rfcomm snd_seq_dummy snd_hrtimer rpcrdma rdma_cm iw_cm ib_cm ib_core ip6table_filter xt_comment ip6_tables vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) qrtr bnep binfmt_misc xfs vfat fat squashfs loop nvidia_drm(POE) nvidia_modeset(POE) nvidia_uvm(POE) nvidia(POE) intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi btusb btrtl iwlmvm uvcvideo btbcm snd_hda_intel edac_mce_amd [ 523.462274] videobuf2_vmalloc videobuf2_memops btintel snd_intel_dspcfg videobuf2_v4l2 snd_intel_sdw_acpi bluetooth snd_usb_audio snd_hda_codec mac80211 snd_usbmidi_lib joydev snd_hda_core videobuf2_common kvm_amd snd_rawmidi snd_hwdep snd_seq videodev ccp snd_seq_device libarc4 ecdh_generic mc snd_pcm kvm iwlwifi snd_timer drm_kms_helper snd cfg80211 cec soundcore irqbypass rapl wmi_bmof i2c_piix4 rfkill k10temp pcspkr acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm zram ip_tables crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel nvme sp5100_tco r8169 nvme_core wmi ipmi_devintf ipmi_msghandler fuse [ 523.462300] CPU: 14 PID: 22893 Comm: ip Tainted: P OE 5.16.18-200.fc35.x86_64 #1 [ 523.462302] Hardware name: Micro-Star International Co., Ltd. MS-7C37/MPG X570 GAMING EDGE WIFI (MS-7C37), BIOS 1.C0 10/29/2020 [ 523.462303] RIP: 0010:fib_nh_match+0x210/0x460 [ 523.462304] Code: 7c 24 20 48 8b b5 90 00 00 00 e8 bb ee f4 ff 48 8b 7c 24 20 41 89 c4 e8 ee eb f4 ff 45 85 e4 0f 85 2e fe ff ff e9 4c ff ff ff <0f> 0b e9 17 ff ff ff 3c 0a 0f 85 61 fe ff ff 48 8b b5 98 00 00 00 [ 523.462306] RSP: 0018:ffffaa53d4d87928 EFLAGS: 00010286 [ 523.462307] RAX: 0000000000000000 RBX: ffffaa53d4d87a90 RCX: ffffaa53d4d87bb0 [ 523.462308] RDX: ffff9e3d2ee6be80 RSI: ffffaa53d4d87a90 RDI: ffffffff920ed380 [ 523.462309] RBP: ffff9e3d2ee6be80 R08: 0000000000000064 R09: 0000000000000000 [ 523.462310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000031 [ 523.462310] R13: 0000000000000020 R14: 0000000000000000 R15: ffff9e3d331054e0 [ 523.462311] FS: 00007f2455 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49092 is a vulnerability identified in the Linux kernel's IPv4 networking stack, specifically related to route deletion operations involving nexthop objects. The issue arises when deleting routes that point to nexthop IDs without specifying the nexthop ID (nhid) but matching on an interface. This leads to a kernel warning triggered by the function fib_info_nh() in include/net/nexthop.h. The warning occurs because the code attempts to match a route using an outdated method that does not properly handle nexthop objects, which are managed separately in the kernel. The problem manifests as a warning during route deletion, potentially causing instability or unexpected behavior in network routing operations. The fix involves modifying the deletion logic to avoid matching routes with nexthop objects using the old-style interface matching, ensuring that deletion commands either specify the nexthop ID correctly or fail gracefully with an ESRCH error if the deletion parameters are incorrect. The vulnerability was observed in kernel version 5.16.18-200.fc35.x86_64 and involves complex interactions in the fib_table_delete and fib_nh_match call chain. Although no direct exploit has been reported, the kernel warning indicates a logic flaw that could be leveraged to cause denial of service or other network disruptions if exploited. The vulnerability affects Linux kernel versions identified by the commit hash 4c7e8084fd467ddb2b0e6c6011f9c1064afb7e56 and similar builds. No CVSS score has been assigned yet, and no known exploits are in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions, especially those heavily reliant on advanced routing features such as nexthop objects. Network infrastructure devices, routers, and servers using Linux as their operating system could experience kernel warnings or crashes during route deletion operations, potentially leading to network instability or denial of service conditions. This could disrupt critical services, including enterprise networks, cloud infrastructure, and telecommunications systems. Organizations with complex routing configurations or those using FRRouting (FRR) or similar routing software that interacts with the Linux kernel's routing stack are particularly at risk. The impact could extend to data centers and service providers, affecting availability and reliability of network services. While no direct exploitation has been reported, the presence of kernel warnings and potential for improper route handling could be leveraged by attackers with local access or through crafted network configurations to degrade system performance or cause outages.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the issue relates to kernel-level route deletion logic, applying the latest stable kernel updates from trusted Linux distributions is critical. Network administrators should audit routing configurations to identify usage of nexthop objects and ensure that route deletion commands and scripts specify nexthop IDs correctly to avoid triggering the vulnerable code paths. Additionally, monitoring kernel logs for warnings related to fib_nh_match or nexthop route deletions can help detect attempts to exploit or inadvertently trigger the vulnerability. For environments using FRRouting or similar routing daemons, updating to versions compatible with patched kernels is recommended. In high-security or critical network environments, consider implementing additional network segmentation and access controls to limit the ability of unprivileged users or attackers to manipulate routing tables. Finally, maintain robust backup and recovery procedures to quickly restore network functionality in case of disruption.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.249Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6b14
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 2:10:06 AM
Last updated: 8/14/2025, 12:20:10 AM
Views: 11
Related Threats
CVE-2025-55716: CWE-862 Missing Authorization in VeronaLabs WP Statistics
MediumCVE-2025-55714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crocoblock JetElements For Elementor
MediumCVE-2025-55713: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CreativeThemes Blocksy
MediumCVE-2025-55712: CWE-862 Missing Authorization in POSIMYTH The Plus Addons for Elementor Page Builder Lite
MediumCVE-2025-55710: CWE-201 Insertion of Sensitive Information Into Sent Data in Steve Burge TaxoPress
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.