CVE-2022-49548 is a vulnerability identified in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically within the function bpf_trampoline_get_progs(). The vulnerability arises due to an incorrect boundary check on the number of attached BPF trampoline programs. The code checks if the count (cnt) of attached programs exceeds BPF_MAX_TRAMP_PROGS but fails to include BPF_TRAMP_MODIFY_RETURN type BPF programs in this count. Consequently, the number of attached BPF_TRAMP_MODIFY_RETURN programs can exceed the maximum allowed (BPF_MAX_TRAMP_PROGS). This leads to an array overflow when the code assigns '*progs++ = aux->prog' because the progs array in the bpf_tramp_progs struct is only sized to hold up to BPF_MAX_TRAMP_PROGS programs. This buffer overflow can cause memory corruption within the kernel space, potentially leading to undefined behavior such as kernel crashes, privilege escalation, or arbitrary code execution. The vulnerability affects Linux kernel versions identified by the commit hash 88fd9e5352fe05f7fe57778293aebd4cd106960b and likely other versions containing the vulnerable code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue was publicly disclosed on February 26, 2025, and a patch has been released by the Linux project to fix the boundary check logic to include BPF_TRAMP_MODIFY_RETURN programs in the count, preventing the array overflow.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Linux-based systems in enterprise environments, cloud infrastructure, and critical services. Exploitation could allow attackers to execute arbitrary code in kernel space, leading to full system compromise, data breaches, or denial of service through kernel panics. Organizations running Linux servers, especially those using eBPF programs for networking, monitoring, or security purposes, are at risk. The vulnerability could be leveraged by local attackers or malicious insiders with the ability to load BPF programs, or potentially by remote attackers if combined with other vulnerabilities or misconfigurations. The impact extends to cloud service providers, telecom operators, and industrial control systems relying on Linux, potentially disrupting services and causing significant operational and reputational damage.

European organizations should promptly apply the official Linux kernel patches that address this vulnerability by correcting the boundary check in bpf_trampoline_get_progs(). Until patches are applied, organizations should restrict the ability to load or attach BPF programs to trusted users only, using Linux capabilities and access control mechanisms such as seccomp, SELinux, or AppArmor. Monitoring and auditing BPF program loading activities can help detect suspicious behavior. Network segmentation and limiting administrative access to critical Linux hosts reduce the attack surface. Additionally, organizations should ensure their kernel versions are up to date and test patches in staging environments before deployment. For environments where patching is delayed, consider disabling or limiting eBPF usage if feasible, though this may impact functionality. Finally, maintain robust incident response plans to quickly address any exploitation attempts.