CVE-2022-49695: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: igb: fix a use-after-free issue in igb_clean_tx_ring Fix the following use-after-free bug in igb_clean_tx_ring routine when the NIC is running in XDP mode. The issue can be triggered redirecting traffic into the igb NIC and then closing the device while the traffic is flowing. [ 73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9 [ 73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017 [ 73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0 [ 73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282 [ 73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000 [ 73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0 [ 73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058 [ 73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090 [ 73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000 [ 73.404806] FS: 00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000 [ 73.413129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0 [ 73.426565] Call Trace: [ 73.429087] <TASK> [ 73.431314] igb_clean_tx_ring+0x43/0x140 [igb] [ 73.436002] igb_down+0x1d7/0x220 [igb] [ 73.439974] __igb_close+0x3c/0x120 [igb] [ 73.444118] igb_xdp+0x10c/0x150 [igb] [ 73.447983] ? igb_pci_sriov_configure+0x70/0x70 [igb] [ 73.453362] dev_xdp_install+0xda/0x110 [ 73.457371] dev_xdp_attach+0x1da/0x550 [ 73.461369] do_setlink+0xfd0/0x10f0 [ 73.465166] ? __nla_validate_parse+0x89/0xc70 [ 73.469714] rtnl_setlink+0x11a/0x1e0 [ 73.473547] rtnetlink_rcv_msg+0x145/0x3d0 [ 73.477709] ? rtnl_calcit.isra.0+0x130/0x130 [ 73.482258] netlink_rcv_skb+0x8d/0x110 [ 73.486229] netlink_unicast+0x230/0x340 [ 73.490317] netlink_sendmsg+0x215/0x470 [ 73.494395] __sys_sendto+0x179/0x190 [ 73.498268] ? move_addr_to_user+0x37/0x70 [ 73.502547] ? __sys_getsockname+0x84/0xe0 [ 73.506853] ? netlink_setsockopt+0x1c1/0x4a0 [ 73.511349] ? __sys_setsockopt+0xc8/0x1d0 [ 73.515636] __x64_sys_sendto+0x20/0x30 [ 73.519603] do_syscall_64+0x3b/0x80 [ 73.523399] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.528712] RIP: 0033:0x7ff38d41f20c [ 73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c [ 73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003 [ 73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0 [ 73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30 [ 73.596545] </TASK> [ 73.598842] ---[ end trace 0000000000000000 ]---
AI Analysis
Technical Summary
CVE-2022-49695 is a high-severity use-after-free vulnerability in the Linux kernel's igb network driver, specifically within the igb_clean_tx_ring function. This vulnerability arises when the Intel Gigabit Ethernet (igb) network interface card (NIC) operates in eXpress Data Path (XDP) mode. The bug is triggered by redirecting network traffic into the igb NIC and then closing the device while traffic is still flowing. The use-after-free condition occurs because the driver attempts to clean the transmit ring buffer after the device has been closed, leading to a reference to freed memory. This can cause kernel crashes (denial of service) or potentially allow an attacker to execute arbitrary code in kernel context due to memory corruption. The vulnerability affects Linux kernel versions including 5.18.3 and likely others where the igb driver and XDP support are present. The provided kernel trace log shows the crash occurring in refcount_warn_saturate, indicating a reference count mismanagement leading to the use-after-free. The CVSS 3.1 score is 7.8 (high), reflecting the local attack vector requiring low privileges but no user interaction, with high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-416 (Use After Free).
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to those relying on Linux servers with Intel igb NICs operating in XDP mode. The impact includes potential kernel panics causing denial of service, which can disrupt critical network services and infrastructure. More severe exploitation could lead to privilege escalation or arbitrary code execution at the kernel level, compromising system confidentiality and integrity. This is especially critical for data centers, cloud providers, telecom operators, and enterprises running network-intensive Linux workloads. Given the widespread use of Linux in European government, finance, and industrial sectors, exploitation could lead to service outages, data breaches, or lateral movement within networks. The requirement for local privileges limits remote exploitation but insider threats or compromised accounts could leverage this vulnerability. The absence of known exploits reduces immediate risk but patching is essential to prevent future attacks.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, ensure that the igb driver and XDP components are updated to the latest stable releases provided by their Linux distribution vendors. Network administrators should audit systems using Intel igb NICs in XDP mode and consider temporarily disabling XDP offloading if patching is delayed. Implement strict access controls to limit local user privileges and monitor for unusual network device closures or crashes indicative of exploitation attempts. Employ kernel crash monitoring and logging to detect potential exploitation. For environments using custom or embedded Linux kernels (e.g., in telecom or industrial equipment), coordinate with vendors to obtain patched firmware or kernel updates. Additionally, conduct vulnerability scanning and penetration testing focusing on local privilege escalation vectors to identify susceptible systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Finland, Belgium
CVE-2022-49695: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: igb: fix a use-after-free issue in igb_clean_tx_ring Fix the following use-after-free bug in igb_clean_tx_ring routine when the NIC is running in XDP mode. The issue can be triggered redirecting traffic into the igb NIC and then closing the device while the traffic is flowing. [ 73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9 [ 73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017 [ 73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0 [ 73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282 [ 73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000 [ 73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0 [ 73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058 [ 73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090 [ 73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000 [ 73.404806] FS: 00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000 [ 73.413129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0 [ 73.426565] Call Trace: [ 73.429087] <TASK> [ 73.431314] igb_clean_tx_ring+0x43/0x140 [igb] [ 73.436002] igb_down+0x1d7/0x220 [igb] [ 73.439974] __igb_close+0x3c/0x120 [igb] [ 73.444118] igb_xdp+0x10c/0x150 [igb] [ 73.447983] ? igb_pci_sriov_configure+0x70/0x70 [igb] [ 73.453362] dev_xdp_install+0xda/0x110 [ 73.457371] dev_xdp_attach+0x1da/0x550 [ 73.461369] do_setlink+0xfd0/0x10f0 [ 73.465166] ? __nla_validate_parse+0x89/0xc70 [ 73.469714] rtnl_setlink+0x11a/0x1e0 [ 73.473547] rtnetlink_rcv_msg+0x145/0x3d0 [ 73.477709] ? rtnl_calcit.isra.0+0x130/0x130 [ 73.482258] netlink_rcv_skb+0x8d/0x110 [ 73.486229] netlink_unicast+0x230/0x340 [ 73.490317] netlink_sendmsg+0x215/0x470 [ 73.494395] __sys_sendto+0x179/0x190 [ 73.498268] ? move_addr_to_user+0x37/0x70 [ 73.502547] ? __sys_getsockname+0x84/0xe0 [ 73.506853] ? netlink_setsockopt+0x1c1/0x4a0 [ 73.511349] ? __sys_setsockopt+0xc8/0x1d0 [ 73.515636] __x64_sys_sendto+0x20/0x30 [ 73.519603] do_syscall_64+0x3b/0x80 [ 73.523399] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.528712] RIP: 0033:0x7ff38d41f20c [ 73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c [ 73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003 [ 73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0 [ 73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30 [ 73.596545] </TASK> [ 73.598842] ---[ end trace 0000000000000000 ]---
AI-Powered Analysis
Technical Analysis
CVE-2022-49695 is a high-severity use-after-free vulnerability in the Linux kernel's igb network driver, specifically within the igb_clean_tx_ring function. This vulnerability arises when the Intel Gigabit Ethernet (igb) network interface card (NIC) operates in eXpress Data Path (XDP) mode. The bug is triggered by redirecting network traffic into the igb NIC and then closing the device while traffic is still flowing. The use-after-free condition occurs because the driver attempts to clean the transmit ring buffer after the device has been closed, leading to a reference to freed memory. This can cause kernel crashes (denial of service) or potentially allow an attacker to execute arbitrary code in kernel context due to memory corruption. The vulnerability affects Linux kernel versions including 5.18.3 and likely others where the igb driver and XDP support are present. The provided kernel trace log shows the crash occurring in refcount_warn_saturate, indicating a reference count mismanagement leading to the use-after-free. The CVSS 3.1 score is 7.8 (high), reflecting the local attack vector requiring low privileges but no user interaction, with high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-416 (Use After Free).
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to those relying on Linux servers with Intel igb NICs operating in XDP mode. The impact includes potential kernel panics causing denial of service, which can disrupt critical network services and infrastructure. More severe exploitation could lead to privilege escalation or arbitrary code execution at the kernel level, compromising system confidentiality and integrity. This is especially critical for data centers, cloud providers, telecom operators, and enterprises running network-intensive Linux workloads. Given the widespread use of Linux in European government, finance, and industrial sectors, exploitation could lead to service outages, data breaches, or lateral movement within networks. The requirement for local privileges limits remote exploitation but insider threats or compromised accounts could leverage this vulnerability. The absence of known exploits reduces immediate risk but patching is essential to prevent future attacks.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, ensure that the igb driver and XDP components are updated to the latest stable releases provided by their Linux distribution vendors. Network administrators should audit systems using Intel igb NICs in XDP mode and consider temporarily disabling XDP offloading if patching is delayed. Implement strict access controls to limit local user privileges and monitor for unusual network device closures or crashes indicative of exploitation attempts. Employ kernel crash monitoring and logging to detect potential exploitation. For environments using custom or embedded Linux kernels (e.g., in telecom or industrial equipment), coordinate with vendors to obtain patched firmware or kernel updates. Additionally, conduct vulnerability scanning and penetration testing focusing on local privilege escalation vectors to identify susceptible systems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.442Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe488b
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 7/3/2025, 2:13:30 AM
Last updated: 7/30/2025, 7:15:39 PM
Views: 14
Related Threats
CVE-2025-7384: CWE-502 Deserialization of Untrusted Data in crmperks Database for Contact Form 7, WPforms, Elementor forms
CriticalCVE-2025-8491: CWE-352 Cross-Site Request Forgery (CSRF) in nikelschubert Easy restaurant menu manager
MediumCVE-2025-0818: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ninjateam File Manager Pro – Filester
MediumCVE-2025-8901: Out of bounds write in Google Chrome
HighCVE-2025-8882: Use after free in Google Chrome
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.