CVE-2022-49667: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free after 802.3ad slave unbind commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), resolve case, when there is several aggregation groups in the same bond. bond_3ad_unbind_slave will invalidate (clear) aggregator when __agg_active_ports return zero. So, ad_clear_agg can be executed even, when num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave will not update slave ports list, because lag_ports==NULL. So, here we got slave ports, pointing to freed aggregator memory. Fix with checking actual number of ports in group (as was before commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), before ad_clear_agg(). The KASAN logs are as follows: [ 767.617392] ================================================================== [ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470 [ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767 [ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15 [ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler [ 767.666468] Call trace: [ 767.668930] dump_backtrace+0x0/0x2d0 [ 767.672625] show_stack+0x24/0x30 [ 767.675965] dump_stack_lvl+0x68/0x84 [ 767.679659] print_address_description.constprop.0+0x74/0x2b8 [ 767.685451] kasan_report+0x1f0/0x260 [ 767.689148] __asan_load2+0x94/0xd0 [ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
AI Analysis
Technical Summary
CVE-2022-49667 is a high-severity use-after-free vulnerability in the Linux kernel's bonding driver, specifically affecting the 802.3ad (LACP) aggregation implementation. The issue arises in the bond_3ad_unbind_slave function, which improperly handles the unbinding of slave network interfaces from aggregation groups. Due to a logic flaw introduced by commit 0622cab0341c, the function may clear an aggregator even when the number of ports in the group is not zero, leading to a scenario where the aggregator memory is freed prematurely. Subsequent calls to bond_3ad_unbind_slave then operate on freed memory, resulting in a use-after-free condition. This flaw was detected by Kernel Address Sanitizer (KASAN) logs showing invalid memory reads during the bond_3ad_state_machine_handler execution. Exploitation of this vulnerability could allow an attacker with local privileges and low complexity to cause memory corruption, potentially leading to privilege escalation, denial of service, or arbitrary code execution within the kernel context. The vulnerability affects Linux kernel versions containing the faulty commit and is mitigated by restoring the correct port count checks before clearing the aggregator. The CVSS 3.1 score is 7.8 (high), reflecting the significant impact on confidentiality, integrity, and availability, with low attack complexity but requiring local privileges and no user interaction.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, especially for enterprises and service providers relying on Linux-based infrastructure with network bonding configurations for redundancy and load balancing. Exploitation could lead to kernel crashes or privilege escalation, compromising critical systems such as data centers, cloud environments, and network appliances. The disruption or takeover of network bonding components can degrade network reliability and availability, impacting business continuity. Confidentiality and integrity of sensitive data processed on affected systems could also be at risk if attackers leverage this flaw to execute arbitrary code. Given the widespread use of Linux in European IT environments, including governmental, financial, and industrial sectors, the impact could be broad, affecting both private and public sector organizations that depend on stable and secure network operations.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2022-49667, ensuring the bonding driver correctly validates port counts before clearing aggregators. System administrators must audit their Linux kernel versions and update to fixed releases or backport patches where applicable. Additionally, organizations should review and restrict local user privileges to minimize the risk of exploitation by unprivileged users. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Network configurations using bonding should be monitored for anomalies, and incident response plans should include procedures for kernel-level vulnerabilities. For environments where immediate patching is not feasible, disabling bonding or the 802.3ad protocol temporarily can reduce exposure. Finally, maintaining up-to-date intrusion detection systems capable of identifying suspicious kernel-level activity is recommended.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49667: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free after 802.3ad slave unbind commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), resolve case, when there is several aggregation groups in the same bond. bond_3ad_unbind_slave will invalidate (clear) aggregator when __agg_active_ports return zero. So, ad_clear_agg can be executed even, when num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave will not update slave ports list, because lag_ports==NULL. So, here we got slave ports, pointing to freed aggregator memory. Fix with checking actual number of ports in group (as was before commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), before ad_clear_agg(). The KASAN logs are as follows: [ 767.617392] ================================================================== [ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470 [ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767 [ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15 [ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler [ 767.666468] Call trace: [ 767.668930] dump_backtrace+0x0/0x2d0 [ 767.672625] show_stack+0x24/0x30 [ 767.675965] dump_stack_lvl+0x68/0x84 [ 767.679659] print_address_description.constprop.0+0x74/0x2b8 [ 767.685451] kasan_report+0x1f0/0x260 [ 767.689148] __asan_load2+0x94/0xd0 [ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
AI-Powered Analysis
Technical Analysis
CVE-2022-49667 is a high-severity use-after-free vulnerability in the Linux kernel's bonding driver, specifically affecting the 802.3ad (LACP) aggregation implementation. The issue arises in the bond_3ad_unbind_slave function, which improperly handles the unbinding of slave network interfaces from aggregation groups. Due to a logic flaw introduced by commit 0622cab0341c, the function may clear an aggregator even when the number of ports in the group is not zero, leading to a scenario where the aggregator memory is freed prematurely. Subsequent calls to bond_3ad_unbind_slave then operate on freed memory, resulting in a use-after-free condition. This flaw was detected by Kernel Address Sanitizer (KASAN) logs showing invalid memory reads during the bond_3ad_state_machine_handler execution. Exploitation of this vulnerability could allow an attacker with local privileges and low complexity to cause memory corruption, potentially leading to privilege escalation, denial of service, or arbitrary code execution within the kernel context. The vulnerability affects Linux kernel versions containing the faulty commit and is mitigated by restoring the correct port count checks before clearing the aggregator. The CVSS 3.1 score is 7.8 (high), reflecting the significant impact on confidentiality, integrity, and availability, with low attack complexity but requiring local privileges and no user interaction.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, especially for enterprises and service providers relying on Linux-based infrastructure with network bonding configurations for redundancy and load balancing. Exploitation could lead to kernel crashes or privilege escalation, compromising critical systems such as data centers, cloud environments, and network appliances. The disruption or takeover of network bonding components can degrade network reliability and availability, impacting business continuity. Confidentiality and integrity of sensitive data processed on affected systems could also be at risk if attackers leverage this flaw to execute arbitrary code. Given the widespread use of Linux in European IT environments, including governmental, financial, and industrial sectors, the impact could be broad, affecting both private and public sector organizations that depend on stable and secure network operations.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2022-49667, ensuring the bonding driver correctly validates port counts before clearing aggregators. System administrators must audit their Linux kernel versions and update to fixed releases or backport patches where applicable. Additionally, organizations should review and restrict local user privileges to minimize the risk of exploitation by unprivileged users. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Network configurations using bonding should be monitored for anomalies, and incident response plans should include procedures for kernel-level vulnerabilities. For environments where immediate patching is not feasible, disabling bonding or the 802.3ad protocol temporarily can reduce exposure. Finally, maintaining up-to-date intrusion detection systems capable of identifying suspicious kernel-level activity is recommended.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.436Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe479d
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 7/3/2025, 2:10:54 AM
Last updated: 8/16/2025, 1:52:14 AM
Views: 16
Related Threats
CVE-2025-53505: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Intermesh BV Group-Office
MediumCVE-2025-53504: Cross-site scripting (XSS) in Intermesh BV Group-Office
MediumCVE-2025-48355: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in ProveSource LTD ProveSource Social Proof
MediumCVE-2025-57832
LowCVE-2025-57831
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.