CVE-2022-49696: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tipc: fix use-after-free Read in tipc_named_reinit syzbot found the following issue on: ================================================================== BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413 Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764 CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted 5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413 tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK> [...] ================================================================== In the commit d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work"), the cancel_work_sync() function just to make sure ONLY the work tipc_net_finalize_work() is executing/pending on any CPU completed before tipc namespace is destroyed through tipc_exit_net(). But this function is not guaranteed the work is the last queued. So, the destroyed instance may be accessed in the work which will try to enqueue later. In order to completely fix, we re-order the calling of cancel_work_sync() to make sure the work tipc_net_finalize_work() was last queued and it must be completed by calling cancel_work_sync().
AI Analysis
Technical Summary
CVE-2022-49696 is a high-severity use-after-free vulnerability in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, specifically within the tipc_named_reinit function. The vulnerability arises due to improper synchronization and ordering of workqueue cancellation in the tipc_net_finalize_work function. The root cause is that cancel_work_sync() was called without guaranteeing that tipc_net_finalize_work() was the last queued work, allowing a destroyed tipc namespace instance to be accessed by subsequent work that attempts to enqueue operations after the namespace has been freed. This results in a use-after-free condition, where memory that has been freed is read, leading to potential kernel crashes, memory corruption, or arbitrary code execution in kernel context. The issue was identified by syzbot, a kernel fuzzing tool, and affects Linux kernel versions prior to the fix commit d966ddcc3821. The vulnerability is classified under CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity. Exploitation requires local privileges with low complexity and no user interaction, but it can lead to full confidentiality, integrity, and availability compromise of the affected system. The fix involves reordering the cancel_work_sync() call to ensure tipc_net_finalize_work() is the last queued work and has fully completed before the tipc namespace is destroyed, preventing access to freed memory.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially those relying on Linux servers for critical infrastructure, cloud services, telecommunications, and enterprise applications. The TIPC subsystem is often used in clustered or distributed systems, which are common in telecom and data center environments. Exploitation could allow attackers with local access to escalate privileges, execute arbitrary code in kernel mode, cause denial of service through kernel crashes, or bypass security controls. This could lead to data breaches, service outages, and compromise of sensitive information. Given the widespread use of Linux in European data centers, cloud providers, and telecom operators, the impact could be substantial, affecting service availability and trust. Additionally, the vulnerability could be leveraged in multi-tenant cloud environments, increasing the risk of cross-tenant attacks. The absence of known exploits in the wild currently reduces immediate risk, but the high severity and ease of exploitation mean that threat actors may develop exploits rapidly.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying the official fixes that reorder the cancel_work_sync() call to ensure proper synchronization of tipc_net_finalize_work(). System administrators should audit their Linux kernel versions and upgrade to patched releases as soon as possible. For environments where immediate patching is not feasible, mitigating controls include restricting local access to trusted users only, employing kernel-level security modules (e.g., SELinux, AppArmor) to limit the impact of potential exploitation, and monitoring kernel logs for unusual workqueue activity or crashes related to TIPC. Additionally, organizations should review and harden access controls on systems running TIPC, especially in multi-tenant or shared environments. Regular vulnerability scanning and kernel integrity monitoring can help detect attempts to exploit this vulnerability. Finally, organizations should maintain up-to-date incident response plans to quickly address any exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49696: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix use-after-free Read in tipc_named_reinit syzbot found the following issue on: ================================================================== BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413 Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764 CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted 5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413 tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK> [...] ================================================================== In the commit d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work"), the cancel_work_sync() function just to make sure ONLY the work tipc_net_finalize_work() is executing/pending on any CPU completed before tipc namespace is destroyed through tipc_exit_net(). But this function is not guaranteed the work is the last queued. So, the destroyed instance may be accessed in the work which will try to enqueue later. In order to completely fix, we re-order the calling of cancel_work_sync() to make sure the work tipc_net_finalize_work() was last queued and it must be completed by calling cancel_work_sync().
AI-Powered Analysis
Technical Analysis
CVE-2022-49696 is a high-severity use-after-free vulnerability in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, specifically within the tipc_named_reinit function. The vulnerability arises due to improper synchronization and ordering of workqueue cancellation in the tipc_net_finalize_work function. The root cause is that cancel_work_sync() was called without guaranteeing that tipc_net_finalize_work() was the last queued work, allowing a destroyed tipc namespace instance to be accessed by subsequent work that attempts to enqueue operations after the namespace has been freed. This results in a use-after-free condition, where memory that has been freed is read, leading to potential kernel crashes, memory corruption, or arbitrary code execution in kernel context. The issue was identified by syzbot, a kernel fuzzing tool, and affects Linux kernel versions prior to the fix commit d966ddcc3821. The vulnerability is classified under CWE-416 (Use After Free) and has a CVSS v3.1 score of 7.8, indicating high severity. Exploitation requires local privileges with low complexity and no user interaction, but it can lead to full confidentiality, integrity, and availability compromise of the affected system. The fix involves reordering the cancel_work_sync() call to ensure tipc_net_finalize_work() is the last queued work and has fully completed before the tipc namespace is destroyed, preventing access to freed memory.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially those relying on Linux servers for critical infrastructure, cloud services, telecommunications, and enterprise applications. The TIPC subsystem is often used in clustered or distributed systems, which are common in telecom and data center environments. Exploitation could allow attackers with local access to escalate privileges, execute arbitrary code in kernel mode, cause denial of service through kernel crashes, or bypass security controls. This could lead to data breaches, service outages, and compromise of sensitive information. Given the widespread use of Linux in European data centers, cloud providers, and telecom operators, the impact could be substantial, affecting service availability and trust. Additionally, the vulnerability could be leveraged in multi-tenant cloud environments, increasing the risk of cross-tenant attacks. The absence of known exploits in the wild currently reduces immediate risk, but the high severity and ease of exploitation mean that threat actors may develop exploits rapidly.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions by applying the official fixes that reorder the cancel_work_sync() call to ensure proper synchronization of tipc_net_finalize_work(). System administrators should audit their Linux kernel versions and upgrade to patched releases as soon as possible. For environments where immediate patching is not feasible, mitigating controls include restricting local access to trusted users only, employing kernel-level security modules (e.g., SELinux, AppArmor) to limit the impact of potential exploitation, and monitoring kernel logs for unusual workqueue activity or crashes related to TIPC. Additionally, organizations should review and harden access controls on systems running TIPC, especially in multi-tenant or shared environments. Regular vulnerability scanning and kernel integrity monitoring can help detect attempts to exploit this vulnerability. Finally, organizations should maintain up-to-date incident response plans to quickly address any exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.443Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd722
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 7/2/2025, 9:41:48 PM
Last updated: 8/2/2025, 3:23:07 AM
Views: 20
Related Threats
CVE-2025-25229: Vulnerability in Omnissa Omnissa Workspace ONE UEM
MediumCVE-2025-25231: Vulnerability in Omnissa Omnissa Workspace ONE UEM
HighCVE-2025-53187: CWE-94 Improper Control of Generation of Code ('Code Injection') in ABB ASPECT
HighCVE-2025-54063: CWE-94: Improper Control of Generation of Code ('Code Injection') in CherryHQ cherry-studio
HighCVE-2025-1500: CWE-434 Unrestricted Upload of File with Dangerous Type in IBM Maximo Application Suite
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.