CVE-2022-49390: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: macsec: fix UAF bug for real_dev Create a new macsec device but not get reference to real_dev. That can not ensure that real_dev is freed after macsec. That will trigger the UAF bug for real_dev as following: ================================================================== BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 Call Trace: ... macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 dev_get_iflink+0x73/0xe0 net/core/dev.c:637 default_operstate net/core/link_watch.c:42 [inline] rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54 linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161 Allocated by task 22209: ... alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549 rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235 veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748 Freed by task 8: ... kfree+0xd6/0x4d0 mm/slub.c:4552 kvfree+0x42/0x50 mm/util.c:615 device_release+0x9f/0x240 drivers/base/core.c:2229 kobject_cleanup lib/kobject.c:673 [inline] kobject_release lib/kobject.c:704 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c8/0x540 lib/kobject.c:721 netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327 After commit faab39f63c1f ("net: allow out-of-order netdev unregistration") and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we can add dev_hold_track() in macsec_dev_init() and dev_put_track() in macsec_free_netdev() to fix the problem.
AI Analysis
Technical Summary
CVE-2022-49390 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's MACsec (Media Access Control Security) implementation. MACsec is a security protocol that provides data confidentiality, integrity, and origin authenticity for Ethernet frames. The vulnerability arises because the macsec device creation process fails to properly maintain a reference to the underlying real network device (real_dev). Specifically, when a new macsec device is created, it does not increment the reference count of real_dev, which means the real_dev can be freed prematurely after the macsec device is freed. This leads to a use-after-free condition when the kernel later attempts to access real_dev, causing memory corruption and potential kernel crashes or arbitrary code execution. The issue was introduced following commits that allowed out-of-order network device unregistration and changes to IPv6 blackhole devices. The fix involves adding proper reference counting calls (dev_hold_track() and dev_put_track()) in the macsec device initialization and teardown functions to ensure real_dev remains valid for the lifetime of the macsec device. The vulnerability is identified as CWE-416 (Use After Free) and has a CVSS v3.1 base score of 7.8, indicating high severity. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The impact spans confidentiality, integrity, and availability (all high), meaning exploitation could allow an attacker with local access to execute arbitrary code in kernel context, cause denial of service, or leak sensitive information. No known exploits are reported in the wild yet, but the presence of a use-after-free in kernel networking code is a serious risk, especially for systems utilizing MACsec for secure Ethernet communication. The affected Linux kernel versions include several commits identified by their hashes, indicating the vulnerability is present in recent kernel versions prior to the patch. In summary, this vulnerability allows a local attacker with limited privileges to trigger a use-after-free in the Linux kernel's MACsec driver, potentially leading to full kernel compromise or system instability.
Potential Impact
For European organizations, the impact of CVE-2022-49390 can be significant, particularly for those relying on Linux-based infrastructure with MACsec enabled for secure network communications. MACsec is often deployed in enterprise networks, data centers, and critical infrastructure to protect Ethernet traffic. Exploitation could lead to kernel-level compromise, allowing attackers to bypass security controls, escalate privileges, and disrupt network services. Confidentiality is at risk as attackers could potentially access sensitive data traversing the network. Integrity could be compromised by injecting or modifying network traffic. Availability is also threatened due to possible kernel crashes or system instability caused by the use-after-free condition. This could impact critical services, leading to downtime and operational disruption. Given the vulnerability requires local access with low privileges, insider threats or attackers who have gained initial footholds could leverage this flaw to escalate privileges and move laterally within networks. This elevates the risk profile for organizations with multi-tenant environments, cloud deployments, or remote access systems running vulnerable Linux kernels. The absence of known exploits in the wild provides some mitigation window, but the high severity and ease of exploitation mean organizations should prioritize patching. Failure to address this vulnerability could lead to data breaches, service outages, and compliance violations under European data protection regulations such as GDPR.
Mitigation Recommendations
1. Apply Kernel Updates: The primary mitigation is to update Linux kernel versions to those containing the fix for CVE-2022-49390. Organizations should track vendor advisories and deploy patches promptly. 2. Disable MACsec if Not Required: If MACsec is not in use, disabling the MACsec module or related kernel features can reduce the attack surface. 3. Restrict Local Access: Limit local user privileges and access to systems running vulnerable kernels. Employ strict access controls, multi-factor authentication, and monitoring to detect unauthorized local access attempts. 4. Network Segmentation: Segment critical systems to prevent lateral movement by attackers who gain local access. 5. Kernel Hardening: Utilize kernel security modules (e.g., SELinux, AppArmor) and exploit mitigation techniques (e.g., KASLR, SMEP, SMAP) to reduce the impact of kernel-level vulnerabilities. 6. Monitor Logs and Behavior: Implement monitoring for unusual kernel crashes, network device errors, or suspicious activity that could indicate exploitation attempts. 7. Vendor Coordination: For organizations using commercial Linux distributions, coordinate with vendors to receive timely patches and guidance. These steps go beyond generic advice by focusing on the specific vulnerability context (MACsec usage, local access requirements) and emphasizing operational controls alongside patching.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49390: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: macsec: fix UAF bug for real_dev Create a new macsec device but not get reference to real_dev. That can not ensure that real_dev is freed after macsec. That will trigger the UAF bug for real_dev as following: ================================================================== BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 Call Trace: ... macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 dev_get_iflink+0x73/0xe0 net/core/dev.c:637 default_operstate net/core/link_watch.c:42 [inline] rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54 linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161 Allocated by task 22209: ... alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549 rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235 veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748 Freed by task 8: ... kfree+0xd6/0x4d0 mm/slub.c:4552 kvfree+0x42/0x50 mm/util.c:615 device_release+0x9f/0x240 drivers/base/core.c:2229 kobject_cleanup lib/kobject.c:673 [inline] kobject_release lib/kobject.c:704 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c8/0x540 lib/kobject.c:721 netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327 After commit faab39f63c1f ("net: allow out-of-order netdev unregistration") and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we can add dev_hold_track() in macsec_dev_init() and dev_put_track() in macsec_free_netdev() to fix the problem.
AI-Powered Analysis
Technical Analysis
CVE-2022-49390 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's MACsec (Media Access Control Security) implementation. MACsec is a security protocol that provides data confidentiality, integrity, and origin authenticity for Ethernet frames. The vulnerability arises because the macsec device creation process fails to properly maintain a reference to the underlying real network device (real_dev). Specifically, when a new macsec device is created, it does not increment the reference count of real_dev, which means the real_dev can be freed prematurely after the macsec device is freed. This leads to a use-after-free condition when the kernel later attempts to access real_dev, causing memory corruption and potential kernel crashes or arbitrary code execution. The issue was introduced following commits that allowed out-of-order network device unregistration and changes to IPv6 blackhole devices. The fix involves adding proper reference counting calls (dev_hold_track() and dev_put_track()) in the macsec device initialization and teardown functions to ensure real_dev remains valid for the lifetime of the macsec device. The vulnerability is identified as CWE-416 (Use After Free) and has a CVSS v3.1 base score of 7.8, indicating high severity. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The impact spans confidentiality, integrity, and availability (all high), meaning exploitation could allow an attacker with local access to execute arbitrary code in kernel context, cause denial of service, or leak sensitive information. No known exploits are reported in the wild yet, but the presence of a use-after-free in kernel networking code is a serious risk, especially for systems utilizing MACsec for secure Ethernet communication. The affected Linux kernel versions include several commits identified by their hashes, indicating the vulnerability is present in recent kernel versions prior to the patch. In summary, this vulnerability allows a local attacker with limited privileges to trigger a use-after-free in the Linux kernel's MACsec driver, potentially leading to full kernel compromise or system instability.
Potential Impact
For European organizations, the impact of CVE-2022-49390 can be significant, particularly for those relying on Linux-based infrastructure with MACsec enabled for secure network communications. MACsec is often deployed in enterprise networks, data centers, and critical infrastructure to protect Ethernet traffic. Exploitation could lead to kernel-level compromise, allowing attackers to bypass security controls, escalate privileges, and disrupt network services. Confidentiality is at risk as attackers could potentially access sensitive data traversing the network. Integrity could be compromised by injecting or modifying network traffic. Availability is also threatened due to possible kernel crashes or system instability caused by the use-after-free condition. This could impact critical services, leading to downtime and operational disruption. Given the vulnerability requires local access with low privileges, insider threats or attackers who have gained initial footholds could leverage this flaw to escalate privileges and move laterally within networks. This elevates the risk profile for organizations with multi-tenant environments, cloud deployments, or remote access systems running vulnerable Linux kernels. The absence of known exploits in the wild provides some mitigation window, but the high severity and ease of exploitation mean organizations should prioritize patching. Failure to address this vulnerability could lead to data breaches, service outages, and compliance violations under European data protection regulations such as GDPR.
Mitigation Recommendations
1. Apply Kernel Updates: The primary mitigation is to update Linux kernel versions to those containing the fix for CVE-2022-49390. Organizations should track vendor advisories and deploy patches promptly. 2. Disable MACsec if Not Required: If MACsec is not in use, disabling the MACsec module or related kernel features can reduce the attack surface. 3. Restrict Local Access: Limit local user privileges and access to systems running vulnerable kernels. Employ strict access controls, multi-factor authentication, and monitoring to detect unauthorized local access attempts. 4. Network Segmentation: Segment critical systems to prevent lateral movement by attackers who gain local access. 5. Kernel Hardening: Utilize kernel security modules (e.g., SELinux, AppArmor) and exploit mitigation techniques (e.g., KASLR, SMEP, SMAP) to reduce the impact of kernel-level vulnerabilities. 6. Monitor Logs and Behavior: Implement monitoring for unusual kernel crashes, network device errors, or suspicious activity that could indicate exploitation attempts. 7. Vendor Coordination: For organizations using commercial Linux distributions, coordinate with vendors to receive timely patches and guidance. These steps go beyond generic advice by focusing on the specific vulnerability context (MACsec usage, local access requirements) and emphasizing operational controls alongside patching.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.561Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd66a
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 2:27:56 PM
Last updated: 7/30/2025, 4:22:50 AM
Views: 8
Related Threats
CVE-2025-8959: CWE-59: Improper Link Resolution Before File Access (Link Following) in HashiCorp Shared library
HighCVE-2025-44201
LowCVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumCVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.