CVE-2022-49647: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: cgroup: Use separate src/dst nodes when preloading css_sets for migration Each cset (css_set) is pinned by its tasks. When we're moving tasks around across csets for a migration, we need to hold the source and destination csets to ensure that they don't go away while we're moving tasks about. This is done by linking cset->mg_preload_node on either the mgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the same cset->mg_preload_node for both the src and dst lists was deemed okay as a cset can't be both the source and destination at the same time. Unfortunately, this overloading becomes problematic when multiple tasks are involved in a migration and some of them are identity noop migrations while others are actually moving across cgroups. For example, this can happen with the following sequence on cgroup1: #1> mkdir -p /sys/fs/cgroup/misc/a/b #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS & #4> PID=$! #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs the process including the group leader back into a. In this final migration, non-leader threads would be doing identity migration while the group leader is doing an actual one. After #3, let's say the whole process was in cset A, and that after #4, the leader moves to cset B. Then, during #6, the following happens: 1. cgroup_migrate_add_src() is called on B for the leader. 2. cgroup_migrate_add_src() is called on A for the other threads. 3. cgroup_migrate_prepare_dst() is called. It scans the src list. 4. It notices that B wants to migrate to A, so it tries to A to the dst list but realizes that its ->mg_preload_node is already busy. 5. and then it notices A wants to migrate to A as it's an identity migration, it culls it by list_del_init()'ing its ->mg_preload_node and putting references accordingly. 6. The rest of migration takes place with B on the src list but nothing on the dst list. This means that A isn't held while migration is in progress. If all tasks leave A before the migration finishes and the incoming task pins it, the cset will be destroyed leading to use-after-free. This is caused by overloading cset->mg_preload_node for both src and dst preload lists. We wanted to exclude the cset from the src list but ended up inadvertently excluding it from the dst list too. This patch fixes the issue by separating out cset->mg_preload_node into ->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst preloadings don't interfere with each other.
AI Analysis
Technical Summary
CVE-2022-49647 is a high-severity vulnerability in the Linux kernel's cgroup subsystem related to task migration across control groups (csets). The issue arises from the way the kernel manages internal data structures during migration of tasks between cgroups. Specifically, the kernel uses a single node (cset->mg_preload_node) to track both source and destination cgroups during migration. This design assumes a cgroup cannot be both source and destination simultaneously. However, in scenarios involving multiple threads where some perform identity migrations (no actual move) and others move across cgroups, this assumption breaks down. The reuse of the same node for both source and destination lists leads to improper reference counting and premature removal of cgroups from tracking lists. Consequently, if all tasks leave a source cgroup before migration completes and an incoming task pins it, the cgroup can be destroyed prematurely, resulting in a use-after-free condition. This memory corruption flaw could be exploited by a local attacker with limited privileges (requires local privileges and no user interaction) to escalate privileges or cause denial of service by crashing the kernel. The patch resolves this by splitting the single mg_preload_node into separate mg_src_preload_node and mg_dst_preload_node nodes, preventing interference between source and destination preload lists and ensuring proper lifecycle management of cgroups during migration. The vulnerability is identified as CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity with impacts on confidentiality, integrity, and availability. Exploitation requires local access and privileges but no user interaction, making it a significant risk for multi-user Linux systems or container environments relying on cgroups for resource management.
Potential Impact
For European organizations, this vulnerability poses a critical risk especially in environments heavily reliant on Linux servers, container orchestration platforms (e.g., Kubernetes), and multi-tenant systems where cgroups are extensively used for resource isolation and management. Exploitation could allow attackers to escalate privileges locally, potentially gaining root access or causing kernel crashes leading to denial of service. This can disrupt critical services, compromise sensitive data, and impact business continuity. Organizations running cloud infrastructure, hosting providers, and enterprises using Linux-based virtualization or containerization technologies are particularly vulnerable. The flaw could be leveraged to bypass security boundaries between containers or user namespaces, undermining isolation guarantees. Given the widespread use of Linux in European data centers and critical infrastructure, the vulnerability could have broad operational and security impacts if left unpatched.
Mitigation Recommendations
1. Apply the official Linux kernel patches that separate mg_preload_node into mg_src_preload_node and mg_dst_preload_node as soon as they become available from trusted sources or Linux distribution vendors. 2. Prioritize patching in environments running multi-threaded applications with complex cgroup migrations, such as container orchestration platforms or systems using advanced resource control features. 3. Implement strict access controls and monitoring on cgroup management interfaces (e.g., /sys/fs/cgroup) to restrict unprivileged users from performing cgroup migrations. 4. Employ kernel live patching solutions where possible to minimize downtime while applying fixes. 5. Monitor kernel logs and system behavior for anomalies indicative of exploitation attempts, such as unexpected kernel crashes or suspicious cgroup migration activities. 6. Conduct thorough testing of patched kernels in staging environments to ensure stability before production deployment. 7. Educate system administrators about the risks of local privilege escalation via kernel vulnerabilities and enforce least privilege principles for users with cgroup management capabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49647: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: cgroup: Use separate src/dst nodes when preloading css_sets for migration Each cset (css_set) is pinned by its tasks. When we're moving tasks around across csets for a migration, we need to hold the source and destination csets to ensure that they don't go away while we're moving tasks about. This is done by linking cset->mg_preload_node on either the mgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the same cset->mg_preload_node for both the src and dst lists was deemed okay as a cset can't be both the source and destination at the same time. Unfortunately, this overloading becomes problematic when multiple tasks are involved in a migration and some of them are identity noop migrations while others are actually moving across cgroups. For example, this can happen with the following sequence on cgroup1: #1> mkdir -p /sys/fs/cgroup/misc/a/b #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS & #4> PID=$! #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs the process including the group leader back into a. In this final migration, non-leader threads would be doing identity migration while the group leader is doing an actual one. After #3, let's say the whole process was in cset A, and that after #4, the leader moves to cset B. Then, during #6, the following happens: 1. cgroup_migrate_add_src() is called on B for the leader. 2. cgroup_migrate_add_src() is called on A for the other threads. 3. cgroup_migrate_prepare_dst() is called. It scans the src list. 4. It notices that B wants to migrate to A, so it tries to A to the dst list but realizes that its ->mg_preload_node is already busy. 5. and then it notices A wants to migrate to A as it's an identity migration, it culls it by list_del_init()'ing its ->mg_preload_node and putting references accordingly. 6. The rest of migration takes place with B on the src list but nothing on the dst list. This means that A isn't held while migration is in progress. If all tasks leave A before the migration finishes and the incoming task pins it, the cset will be destroyed leading to use-after-free. This is caused by overloading cset->mg_preload_node for both src and dst preload lists. We wanted to exclude the cset from the src list but ended up inadvertently excluding it from the dst list too. This patch fixes the issue by separating out cset->mg_preload_node into ->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst preloadings don't interfere with each other.
AI-Powered Analysis
Technical Analysis
CVE-2022-49647 is a high-severity vulnerability in the Linux kernel's cgroup subsystem related to task migration across control groups (csets). The issue arises from the way the kernel manages internal data structures during migration of tasks between cgroups. Specifically, the kernel uses a single node (cset->mg_preload_node) to track both source and destination cgroups during migration. This design assumes a cgroup cannot be both source and destination simultaneously. However, in scenarios involving multiple threads where some perform identity migrations (no actual move) and others move across cgroups, this assumption breaks down. The reuse of the same node for both source and destination lists leads to improper reference counting and premature removal of cgroups from tracking lists. Consequently, if all tasks leave a source cgroup before migration completes and an incoming task pins it, the cgroup can be destroyed prematurely, resulting in a use-after-free condition. This memory corruption flaw could be exploited by a local attacker with limited privileges (requires local privileges and no user interaction) to escalate privileges or cause denial of service by crashing the kernel. The patch resolves this by splitting the single mg_preload_node into separate mg_src_preload_node and mg_dst_preload_node nodes, preventing interference between source and destination preload lists and ensuring proper lifecycle management of cgroups during migration. The vulnerability is identified as CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity with impacts on confidentiality, integrity, and availability. Exploitation requires local access and privileges but no user interaction, making it a significant risk for multi-user Linux systems or container environments relying on cgroups for resource management.
Potential Impact
For European organizations, this vulnerability poses a critical risk especially in environments heavily reliant on Linux servers, container orchestration platforms (e.g., Kubernetes), and multi-tenant systems where cgroups are extensively used for resource isolation and management. Exploitation could allow attackers to escalate privileges locally, potentially gaining root access or causing kernel crashes leading to denial of service. This can disrupt critical services, compromise sensitive data, and impact business continuity. Organizations running cloud infrastructure, hosting providers, and enterprises using Linux-based virtualization or containerization technologies are particularly vulnerable. The flaw could be leveraged to bypass security boundaries between containers or user namespaces, undermining isolation guarantees. Given the widespread use of Linux in European data centers and critical infrastructure, the vulnerability could have broad operational and security impacts if left unpatched.
Mitigation Recommendations
1. Apply the official Linux kernel patches that separate mg_preload_node into mg_src_preload_node and mg_dst_preload_node as soon as they become available from trusted sources or Linux distribution vendors. 2. Prioritize patching in environments running multi-threaded applications with complex cgroup migrations, such as container orchestration platforms or systems using advanced resource control features. 3. Implement strict access controls and monitoring on cgroup management interfaces (e.g., /sys/fs/cgroup) to restrict unprivileged users from performing cgroup migrations. 4. Employ kernel live patching solutions where possible to minimize downtime while applying fixes. 5. Monitor kernel logs and system behavior for anomalies indicative of exploitation attempts, such as unexpected kernel crashes or suspicious cgroup migration activities. 6. Conduct thorough testing of patched kernels in staging environments to ensure stability before production deployment. 7. Educate system administrators about the risks of local privilege escalation via kernel vulnerabilities and enforce least privilege principles for users with cgroup management capabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.432Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe473a
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 7/3/2025, 2:10:09 AM
Last updated: 7/22/2025, 1:49:21 PM
Views: 7
Related Threats
CVE-2025-9119: Cross Site Scripting in Netis WF2419
MediumCVE-2025-8098: CWE-276: Incorrect Default Permissions in Lenovo PC Manager
HighCVE-2025-53192: CWE-146 Improper Neutralization of Expression/Command Delimiters in Apache Software Foundation Apache Commons OGNL
HighCVE-2025-4371: CWE-347: Improper Verification of Cryptographic Signature in Lenovo 510 FHD Webcam
HighCVE-2025-32992: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.