CVE-2022-49094: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/tls: fix slab-out-of-bounds bug in decrypt_internal The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in tls_set_sw_offload(). The return value of crypto_aead_ivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following: ================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls] Allocated by task 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0 Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size when memcpy() iv value in TLS_1_3_VERSION scenario.
AI Analysis
Technical Summary
CVE-2022-49094 is a vulnerability identified in the Linux kernel's TLS (Transport Layer Security) implementation, specifically within the net/tls subsystem. The flaw arises from an incorrect handling of memory size during the decryption process in the decrypt_internal function. The vulnerability is due to a mismatch between the allocated memory size for the initialization vector (IV) in the tls_ctx->rx.iv buffer and the size expected by the crypto_aead_ivsize() function for AES128-CCM encryption. Specifically, tls_set_sw_offload() allocates 12 bytes for the IV, but crypto_aead_ivsize() returns 16 bytes for the CCM mode of AES, leading to a memcpy operation that copies 16 bytes into a 12-byte buffer. This results in a slab-out-of-bounds memory read, which is detected by Kernel Address Sanitizer (KASAN) as a memory safety violation. The root cause is the use of crypto_aead_ivsize() instead of the correct calculation using prot->iv_size plus prot->salt_size when copying the IV in TLS 1.3 scenarios. This bug can cause kernel memory corruption, potentially leading to system instability, crashes (kernel panic), or exploitable conditions for privilege escalation or denial of service. The vulnerability affects Linux kernel versions identified by the commit hash f295b3ae9f5927e084bd5decdff82390e3471801 and similar builds. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The fix involves correcting the IV size calculation to prevent out-of-bounds memory access during the memcpy operation.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernel versions with TLS software offloading enabled. Since Linux is widely used in servers, cloud infrastructure, and embedded devices across Europe, exploitation could lead to kernel crashes, resulting in service outages and potential denial of service. More critically, if attackers can leverage this out-of-bounds read to execute arbitrary code or escalate privileges, it could compromise the confidentiality and integrity of sensitive data and systems. This is particularly concerning for sectors with high reliance on Linux-based infrastructure such as finance, telecommunications, government, and critical infrastructure. The absence of known exploits reduces immediate risk, but the vulnerability's nature suggests that skilled attackers could develop exploits, especially in environments where TLS offloading is common. The impact on availability and potential for privilege escalation makes this a threat that European organizations must address promptly to maintain operational continuity and security compliance.
Mitigation Recommendations
European organizations should take the following specific steps to mitigate this vulnerability: 1) Identify and inventory all Linux systems running kernel versions affected by this vulnerability, focusing on those using TLS software offloading features. 2) Apply the official Linux kernel patches or updates that correct the IV size calculation in the net/tls subsystem as soon as they are available from trusted Linux distribution vendors or kernel maintainers. 3) If immediate patching is not feasible, consider disabling TLS software offloading temporarily to prevent triggering the vulnerable code path. 4) Monitor kernel logs and use tools like KASAN or other memory safety checkers in testing environments to detect any anomalous behavior related to TLS decryption. 5) Implement strict access controls and network segmentation to limit exposure of vulnerable systems to untrusted networks or users. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation or system crashes. 7) Engage with Linux distribution security advisories and subscribe to vulnerability feeds to stay informed about updates or emerging exploits related to this CVE.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-49094: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/tls: fix slab-out-of-bounds bug in decrypt_internal The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in tls_set_sw_offload(). The return value of crypto_aead_ivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following: ================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls] Allocated by task 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0 Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size when memcpy() iv value in TLS_1_3_VERSION scenario.
AI-Powered Analysis
Technical Analysis
CVE-2022-49094 is a vulnerability identified in the Linux kernel's TLS (Transport Layer Security) implementation, specifically within the net/tls subsystem. The flaw arises from an incorrect handling of memory size during the decryption process in the decrypt_internal function. The vulnerability is due to a mismatch between the allocated memory size for the initialization vector (IV) in the tls_ctx->rx.iv buffer and the size expected by the crypto_aead_ivsize() function for AES128-CCM encryption. Specifically, tls_set_sw_offload() allocates 12 bytes for the IV, but crypto_aead_ivsize() returns 16 bytes for the CCM mode of AES, leading to a memcpy operation that copies 16 bytes into a 12-byte buffer. This results in a slab-out-of-bounds memory read, which is detected by Kernel Address Sanitizer (KASAN) as a memory safety violation. The root cause is the use of crypto_aead_ivsize() instead of the correct calculation using prot->iv_size plus prot->salt_size when copying the IV in TLS 1.3 scenarios. This bug can cause kernel memory corruption, potentially leading to system instability, crashes (kernel panic), or exploitable conditions for privilege escalation or denial of service. The vulnerability affects Linux kernel versions identified by the commit hash f295b3ae9f5927e084bd5decdff82390e3471801 and similar builds. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The fix involves correcting the IV size calculation to prevent out-of-bounds memory access during the memcpy operation.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running vulnerable Linux kernel versions with TLS software offloading enabled. Since Linux is widely used in servers, cloud infrastructure, and embedded devices across Europe, exploitation could lead to kernel crashes, resulting in service outages and potential denial of service. More critically, if attackers can leverage this out-of-bounds read to execute arbitrary code or escalate privileges, it could compromise the confidentiality and integrity of sensitive data and systems. This is particularly concerning for sectors with high reliance on Linux-based infrastructure such as finance, telecommunications, government, and critical infrastructure. The absence of known exploits reduces immediate risk, but the vulnerability's nature suggests that skilled attackers could develop exploits, especially in environments where TLS offloading is common. The impact on availability and potential for privilege escalation makes this a threat that European organizations must address promptly to maintain operational continuity and security compliance.
Mitigation Recommendations
European organizations should take the following specific steps to mitigate this vulnerability: 1) Identify and inventory all Linux systems running kernel versions affected by this vulnerability, focusing on those using TLS software offloading features. 2) Apply the official Linux kernel patches or updates that correct the IV size calculation in the net/tls subsystem as soon as they are available from trusted Linux distribution vendors or kernel maintainers. 3) If immediate patching is not feasible, consider disabling TLS software offloading temporarily to prevent triggering the vulnerable code path. 4) Monitor kernel logs and use tools like KASAN or other memory safety checkers in testing environments to detect any anomalous behavior related to TLS decryption. 5) Implement strict access controls and network segmentation to limit exposure of vulnerable systems to untrusted networks or users. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation or system crashes. 7) Engage with Linux distribution security advisories and subscribe to vulnerability feeds to stay informed about updates or emerging exploits related to this CVE.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.249Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6b1c
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 2:10:20 AM
Last updated: 8/8/2025, 6:50:58 PM
Views: 11
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.