CVE-2022-49236: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix UAF due to race between btf_try_get_module and load_module While working on code to populate kfunc BTF ID sets for module BTF from its initcall, I noticed that by the time the initcall is invoked, the module BTF can already be seen by userspace (and the BPF verifier). The existing btf_try_get_module calls try_module_get which only fails if mod->state == MODULE_STATE_GOING, i.e. it can increment module reference when module initcall is happening in parallel. Currently, BTF parsing happens from MODULE_STATE_COMING notifier callback. At this point, the module initcalls have not been invoked. The notifier callback parses and prepares the module BTF, allocates an ID, which publishes it to userspace, and then adds it to the btf_modules list allowing the kernel to invoke btf_try_get_module for the BTF. However, at this point, the module has not been fully initialized (i.e. its initcalls have not finished). The code in module.c can still fail and free the module, without caring for other users. However, nothing stops btf_try_get_module from succeeding between the state transition from MODULE_STATE_COMING to MODULE_STATE_LIVE. This leads to a use-after-free issue when BPF program loads successfully in the state transition, load_module's do_init_module call fails and frees the module, and BPF program fd on close calls module_put for the freed module. Future patch has test case to verify we don't regress in this area in future. There are multiple points after prepare_coming_module (in load_module) where failure can occur and module loading can return error. We illustrate and test for the race using the last point where it can practically occur (in module __init function). An illustration of the race: CPU 0 CPU 1 load_module notifier_call(MODULE_STATE_COMING) btf_parse_module btf_alloc_id // Published to userspace list_add(&btf_mod->list, btf_modules) mod->init(...) ... ^ bpf_check | check_pseudo_btf_id | btf_try_get_module | returns true | ... ... | module __init in progress return prog_fd | ... ... V if (ret < 0) free_module(mod) ... close(prog_fd) ... bpf_prog_free_deferred module_put(used_btf.mod) // use-after-free We fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier callback when MODULE_STATE_LIVE state is reached for the module, so that we return NULL from btf_try_get_module for modules that are not fully formed. Since try_module_get already checks that module is not in MODULE_STATE_GOING state, and that is the only transition a live module can make before being removed from btf_modules list, this is enough to close the race and prevent the bug. A later selftest patch crafts the race condition artifically to verify that it has been fixed, and that verifier fails to load program (with ENXIO). Lastly, a couple of comments: 1. Even if this race didn't exist, it seems more appropriate to only access resources (ksyms and kfuncs) of a fully formed module which has been initialized completely. 2. This patch was born out of need for synchronization against module initcall for the next patch, so it is needed for correctness even without the aforementioned race condition. The BTF resources initialized by module initcall are set up once and then only looked up, so just waiting until the initcall has finished ensures correct behavior.
AI Analysis
Technical Summary
CVE-2022-49236 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem related to the handling of BTF (BPF Type Format) data during kernel module loading. The vulnerability arises from a race condition between the kernel's module initialization sequence and the exposure of module BTF data to userspace and the BPF verifier. Specifically, when a kernel module is loaded, its BTF data is parsed and published to userspace during the MODULE_STATE_COMING state, before the module's initialization (initcall) has completed. At this stage, the module is not fully initialized and can still fail and be freed by the kernel. However, the BPF verifier and userspace can access the module's BTF data and increment the module's reference count via btf_try_get_module, which does not account for the module not being fully live. If the module initialization subsequently fails, the module is freed, but userspace still holds references to the now-freed module. When these references are released (e.g., closing a BPF program file descriptor), a use-after-free occurs, potentially leading to kernel memory corruption or arbitrary code execution. The fix involves introducing a BTF_MODULE_F_LIVE flag that is set only when the module reaches the MODULE_STATE_LIVE state, ensuring btf_try_get_module returns NULL for modules not fully initialized, thus preventing the race. This vulnerability affects Linux kernel versions prior to the patch and requires local privileges with low complexity to exploit, as it involves loading BPF programs referencing module BTF data. The CVSS score of 7.8 reflects the high impact on confidentiality, integrity, and availability, with limited attack vector (local) and privileges required. No known exploits are reported in the wild yet. This vulnerability is classified under CWE-416 (Use After Free).
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those running Linux-based infrastructure, including servers, cloud environments, and embedded systems that support BPF functionality. Exploitation could allow a local attacker with the ability to load BPF programs to cause kernel memory corruption, potentially leading to privilege escalation, arbitrary code execution in kernel context, or denial of service via system crashes. This could compromise the confidentiality and integrity of sensitive data and disrupt critical services. Organizations relying on Linux for critical applications, including telecommunications, finance, healthcare, and government services, could face operational disruptions and data breaches. The local attack vector means that attackers need some level of access to the system, but in multi-tenant or shared environments such as cloud or container platforms, this could be leveraged by malicious insiders or compromised accounts. The absence of known exploits in the wild provides a window for mitigation, but the high severity and kernel-level impact necessitate prompt action.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions with the fix that introduces the BTF_MODULE_F_LIVE flag to prevent the race condition. Since this vulnerability involves kernel module loading and BPF program handling, organizations should: 1) Apply kernel updates from trusted sources promptly, especially on systems that allow unprivileged or semi-privileged users to load BPF programs. 2) Restrict BPF program loading capabilities to trusted users only, using Linux security modules (e.g., SELinux, AppArmor) or kernel lockdown features to limit attack surface. 3) Monitor kernel logs and audit BPF program loading activities to detect anomalous behavior. 4) For containerized or virtualized environments, enforce strict isolation and limit capabilities that allow BPF program loading. 5) Employ runtime security tools that can detect exploitation attempts involving kernel memory corruption. 6) Review and harden access controls on systems that expose BPF interfaces, especially in multi-user or cloud environments. 7) Test patches in staging environments to ensure stability before deployment. These steps go beyond generic advice by focusing on controlling BPF program loading and kernel module management, which are central to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49236: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix UAF due to race between btf_try_get_module and load_module While working on code to populate kfunc BTF ID sets for module BTF from its initcall, I noticed that by the time the initcall is invoked, the module BTF can already be seen by userspace (and the BPF verifier). The existing btf_try_get_module calls try_module_get which only fails if mod->state == MODULE_STATE_GOING, i.e. it can increment module reference when module initcall is happening in parallel. Currently, BTF parsing happens from MODULE_STATE_COMING notifier callback. At this point, the module initcalls have not been invoked. The notifier callback parses and prepares the module BTF, allocates an ID, which publishes it to userspace, and then adds it to the btf_modules list allowing the kernel to invoke btf_try_get_module for the BTF. However, at this point, the module has not been fully initialized (i.e. its initcalls have not finished). The code in module.c can still fail and free the module, without caring for other users. However, nothing stops btf_try_get_module from succeeding between the state transition from MODULE_STATE_COMING to MODULE_STATE_LIVE. This leads to a use-after-free issue when BPF program loads successfully in the state transition, load_module's do_init_module call fails and frees the module, and BPF program fd on close calls module_put for the freed module. Future patch has test case to verify we don't regress in this area in future. There are multiple points after prepare_coming_module (in load_module) where failure can occur and module loading can return error. We illustrate and test for the race using the last point where it can practically occur (in module __init function). An illustration of the race: CPU 0 CPU 1 load_module notifier_call(MODULE_STATE_COMING) btf_parse_module btf_alloc_id // Published to userspace list_add(&btf_mod->list, btf_modules) mod->init(...) ... ^ bpf_check | check_pseudo_btf_id | btf_try_get_module | returns true | ... ... | module __init in progress return prog_fd | ... ... V if (ret < 0) free_module(mod) ... close(prog_fd) ... bpf_prog_free_deferred module_put(used_btf.mod) // use-after-free We fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier callback when MODULE_STATE_LIVE state is reached for the module, so that we return NULL from btf_try_get_module for modules that are not fully formed. Since try_module_get already checks that module is not in MODULE_STATE_GOING state, and that is the only transition a live module can make before being removed from btf_modules list, this is enough to close the race and prevent the bug. A later selftest patch crafts the race condition artifically to verify that it has been fixed, and that verifier fails to load program (with ENXIO). Lastly, a couple of comments: 1. Even if this race didn't exist, it seems more appropriate to only access resources (ksyms and kfuncs) of a fully formed module which has been initialized completely. 2. This patch was born out of need for synchronization against module initcall for the next patch, so it is needed for correctness even without the aforementioned race condition. The BTF resources initialized by module initcall are set up once and then only looked up, so just waiting until the initcall has finished ensures correct behavior.
AI-Powered Analysis
Technical Analysis
CVE-2022-49236 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem related to the handling of BTF (BPF Type Format) data during kernel module loading. The vulnerability arises from a race condition between the kernel's module initialization sequence and the exposure of module BTF data to userspace and the BPF verifier. Specifically, when a kernel module is loaded, its BTF data is parsed and published to userspace during the MODULE_STATE_COMING state, before the module's initialization (initcall) has completed. At this stage, the module is not fully initialized and can still fail and be freed by the kernel. However, the BPF verifier and userspace can access the module's BTF data and increment the module's reference count via btf_try_get_module, which does not account for the module not being fully live. If the module initialization subsequently fails, the module is freed, but userspace still holds references to the now-freed module. When these references are released (e.g., closing a BPF program file descriptor), a use-after-free occurs, potentially leading to kernel memory corruption or arbitrary code execution. The fix involves introducing a BTF_MODULE_F_LIVE flag that is set only when the module reaches the MODULE_STATE_LIVE state, ensuring btf_try_get_module returns NULL for modules not fully initialized, thus preventing the race. This vulnerability affects Linux kernel versions prior to the patch and requires local privileges with low complexity to exploit, as it involves loading BPF programs referencing module BTF data. The CVSS score of 7.8 reflects the high impact on confidentiality, integrity, and availability, with limited attack vector (local) and privileges required. No known exploits are reported in the wild yet. This vulnerability is classified under CWE-416 (Use After Free).
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those running Linux-based infrastructure, including servers, cloud environments, and embedded systems that support BPF functionality. Exploitation could allow a local attacker with the ability to load BPF programs to cause kernel memory corruption, potentially leading to privilege escalation, arbitrary code execution in kernel context, or denial of service via system crashes. This could compromise the confidentiality and integrity of sensitive data and disrupt critical services. Organizations relying on Linux for critical applications, including telecommunications, finance, healthcare, and government services, could face operational disruptions and data breaches. The local attack vector means that attackers need some level of access to the system, but in multi-tenant or shared environments such as cloud or container platforms, this could be leveraged by malicious insiders or compromised accounts. The absence of known exploits in the wild provides a window for mitigation, but the high severity and kernel-level impact necessitate prompt action.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions with the fix that introduces the BTF_MODULE_F_LIVE flag to prevent the race condition. Since this vulnerability involves kernel module loading and BPF program handling, organizations should: 1) Apply kernel updates from trusted sources promptly, especially on systems that allow unprivileged or semi-privileged users to load BPF programs. 2) Restrict BPF program loading capabilities to trusted users only, using Linux security modules (e.g., SELinux, AppArmor) or kernel lockdown features to limit attack surface. 3) Monitor kernel logs and audit BPF program loading activities to detect anomalous behavior. 4) For containerized or virtualized environments, enforce strict isolation and limit capabilities that allow BPF program loading. 5) Employ runtime security tools that can detect exploitation attempts involving kernel memory corruption. 6) Review and harden access controls on systems that expose BPF interfaces, especially in multi-user or cloud environments. 7) Test patches in staging environments to ensure stability before deployment. These steps go beyond generic advice by focusing on controlling BPF program loading and kernel module management, which are central to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.294Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe539a
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 7/3/2025, 2:39:48 AM
Last updated: 8/5/2025, 10:50:40 AM
Views: 13
Related Threats
CVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumCVE-2025-8929: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-8928: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-34154: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Synergetic Data Systems Inc. UnForm Server Manager
CriticalCVE-2025-8927: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.