CVE-2022-49110 is a vulnerability in the Linux kernel's netfilter connection tracking (conntrack) subsystem, specifically related to the garbage collection (gc) autotuning mechanism. The conntrack feature is responsible for tracking network connections and is widely used in Linux-based firewalls and network address translation (NAT) implementations. The vulnerability arises from how the conntrack garbage collector schedules and executes evictions of expired connection entries from the hash table. In systems where the conntrack hash table size is configured to a large value, most evictions occur in the garbage collector worker thread rather than during packet processing due to the distribution of entries in the hash table. This leads to netlink event overflows when events are collected, which can cause resource exhaustion or loss of event notifications. The fix, introduced in commit 4608fdfc07e1, changes the garbage collector to collect the average expiry time of scanned entries and reschedule the garbage collection dynamically within a 1 to 60 second interval. It also adds limits on the runtime and number of evictions per run to avoid event overflows. If more entries need eviction, the garbage collector reschedules itself to run again shortly after, preventing long blocking periods and event overflow. This vulnerability does not appear to have known exploits in the wild as of the publication date. However, it affects the Linux kernel, which is a core component in many systems, including servers, network devices, and embedded systems. The issue could lead to degraded network performance, potential denial of service due to event overflow, or instability in network connection tracking, impacting firewall and NAT functionality.

For European organizations, this vulnerability could have significant impacts, especially for those relying heavily on Linux-based infrastructure for networking, including data centers, cloud providers, telecommunications, and critical infrastructure operators. The conntrack subsystem is integral to firewall and NAT operations; thus, overflow of netlink events and inefficient garbage collection could lead to degraded network performance or temporary denial of service conditions. This could disrupt business operations, impact availability of services, and increase the risk of network outages. Organizations with large-scale Linux deployments or those using large conntrack hash tables are particularly at risk. Additionally, network devices and appliances running Linux kernels with this vulnerability could experience instability, affecting network security monitoring and traffic filtering capabilities. While no known exploits exist currently, the potential for denial of service or network disruption makes timely patching critical to maintain operational stability and security posture.

To mitigate this vulnerability, European organizations should: 1) Identify and inventory all Linux systems running affected kernel versions, particularly those with large conntrack hash tables configured. 2) Apply the kernel patch or upgrade to a Linux kernel version that includes the fix from commit 4608fdfc07e1 as soon as possible. 3) Review and optimize conntrack hash table sizes to avoid unnecessarily large values that exacerbate garbage collection issues. 4) Monitor netlink event queues and system logs for signs of event overflow or garbage collector rescheduling anomalies. 5) Implement network segmentation and redundancy to minimize impact if network connection tracking is temporarily degraded. 6) Test kernel updates in staging environments to ensure compatibility and stability before production deployment. 7) Maintain up-to-date incident response plans that include network subsystem monitoring and recovery procedures. These steps go beyond generic advice by focusing on configuration tuning, proactive monitoring, and staged deployment to reduce risk.