CVE-2022-49700: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/slub: add missing TID updates on slab deactivation The fastpath in slab_alloc_node() assumes that c->slab is stable as long as the TID stays the same. However, two places in __slab_alloc() currently don't update the TID when deactivating the CPU slab. If multiple operations race the right way, this could lead to an object getting lost; or, in an even more unlikely situation, it could even lead to an object being freed onto the wrong slab's freelist, messing up the `inuse` counter and eventually causing a page to be freed to the page allocator while it still contains slab objects. (I haven't actually tested these cases though, this is just based on looking at the code. Writing testcases for this stuff seems like it'd be a pain...) The race leading to state inconsistency is (all operations on the same CPU and kmem_cache): - task A: begin do_slab_free(): - read TID - read pcpu freelist (==NULL) - check `slab == c->slab` (true) - [PREEMPT A->B] - task B: begin slab_alloc_node(): - fastpath fails (`c->freelist` is NULL) - enter __slab_alloc() - slub_get_cpu_ptr() (disables preemption) - enter ___slab_alloc() - take local_lock_irqsave() - read c->freelist as NULL - get_freelist() returns NULL - write `c->slab = NULL` - drop local_unlock_irqrestore() - goto new_slab - slub_percpu_partial() is NULL - get_partial() returns NULL - slub_put_cpu_ptr() (enables preemption) - [PREEMPT B->A] - task A: finish do_slab_free(): - this_cpu_cmpxchg_double() succeeds() - [CORRUPT STATE: c->slab==NULL, c->freelist!=NULL] From there, the object on c->freelist will get lost if task B is allowed to continue from here: It will proceed to the retry_load_slab label, set c->slab, then jump to load_freelist, which clobbers c->freelist. But if we instead continue as follows, we get worse corruption: - task A: run __slab_free() on object from other struct slab: - CPU_PARTIAL_FREE case (slab was on no list, is now on pcpu partial) - task A: run slab_alloc_node() with NUMA node constraint: - fastpath fails (c->slab is NULL) - call __slab_alloc() - slub_get_cpu_ptr() (disables preemption) - enter ___slab_alloc() - c->slab is NULL: goto new_slab - slub_percpu_partial() is non-NULL - set c->slab to slub_percpu_partial(c) - [CORRUPT STATE: c->slab points to slab-1, c->freelist has objects from slab-2] - goto redo - node_match() fails - goto deactivate_slab - existing c->freelist is passed into deactivate_slab() - inuse count of slab-1 is decremented to account for object from slab-2 At this point, the inuse count of slab-1 is 1 lower than it should be. This means that if we free all allocated objects in slab-1 except for one, SLUB will think that slab-1 is completely unused, and may free its page, leading to use-after-free.
AI Analysis
Technical Summary
CVE-2022-49700 is a high-severity vulnerability in the Linux kernel's SLUB memory allocator subsystem, specifically within the slab allocator implementation. The flaw arises from missing updates to the Thread ID (TID) during slab deactivation, which leads to race conditions when multiple operations concurrently access the same CPU slab cache. The slab allocator uses per-CPU caches to optimize memory allocation performance, relying on the stability of the slab pointer as long as the TID remains unchanged. However, two code paths in __slab_alloc() fail to update the TID when deactivating the CPU slab, causing inconsistencies in the slab's freelist and inuse counters. This can result in objects being lost or freed onto the wrong slab's freelist, corrupting internal state. The most severe consequence is that the allocator may mistakenly believe a slab is unused and free its backing page while it still contains allocated objects, leading to use-after-free conditions. Exploiting this vulnerability requires local access with limited privileges (PR:L), no user interaction, and low attack complexity. The impact affects confidentiality, integrity, and availability since use-after-free can lead to arbitrary code execution, privilege escalation, or system crashes. The vulnerability affects multiple Linux kernel versions identified by the same commit hash, indicating a widespread issue across kernel builds. Although no known exploits are publicly reported, the technical complexity and potential for severe memory corruption make it a critical concern for Linux systems relying on SLUB allocator. The CVSS 3.1 base score is 7.8 (high), reflecting the significant risk posed by this flaw.
Potential Impact
For European organizations, the impact of CVE-2022-49700 is substantial, especially those running Linux-based servers, cloud infrastructure, or embedded systems. The vulnerability can lead to use-after-free conditions, enabling attackers with local access to escalate privileges, execute arbitrary code in kernel context, or cause denial of service via system crashes. This threatens the confidentiality and integrity of sensitive data and the availability of critical services. Industries such as finance, telecommunications, healthcare, and government, which heavily rely on Linux servers and virtualized environments, are at heightened risk. Additionally, organizations using Linux in IoT devices or industrial control systems may face operational disruptions. The complexity of exploitation limits remote attacks, but insider threats or compromised user accounts could leverage this flaw to gain kernel-level control. Given the widespread deployment of Linux across European data centers and enterprises, failure to patch this vulnerability could lead to significant security incidents and regulatory compliance issues under frameworks like GDPR.
Mitigation Recommendations
Mitigation requires applying the official Linux kernel patches that address the missing TID updates during slab deactivation. Organizations should prioritize updating to the latest kernel versions containing the fix. Beyond patching, system administrators should: 1) Restrict local access to trusted users only, minimizing the risk of exploitation by unprivileged accounts. 2) Employ kernel hardening techniques such as Kernel Page Table Isolation (KPTI), SELinux/AppArmor policies, and seccomp filters to limit the impact of potential kernel exploits. 3) Monitor kernel logs and system behavior for anomalies indicative of memory corruption or use-after-free exploitation attempts. 4) Use runtime security tools capable of detecting unusual slab allocator behavior or memory corruption patterns. 5) In environments where immediate patching is not feasible, consider isolating vulnerable systems or limiting their exposure to untrusted users. 6) Maintain regular backups and incident response plans to quickly recover from potential exploitation. These targeted measures complement patching and reduce the attack surface related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2022-49700: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/slub: add missing TID updates on slab deactivation The fastpath in slab_alloc_node() assumes that c->slab is stable as long as the TID stays the same. However, two places in __slab_alloc() currently don't update the TID when deactivating the CPU slab. If multiple operations race the right way, this could lead to an object getting lost; or, in an even more unlikely situation, it could even lead to an object being freed onto the wrong slab's freelist, messing up the `inuse` counter and eventually causing a page to be freed to the page allocator while it still contains slab objects. (I haven't actually tested these cases though, this is just based on looking at the code. Writing testcases for this stuff seems like it'd be a pain...) The race leading to state inconsistency is (all operations on the same CPU and kmem_cache): - task A: begin do_slab_free(): - read TID - read pcpu freelist (==NULL) - check `slab == c->slab` (true) - [PREEMPT A->B] - task B: begin slab_alloc_node(): - fastpath fails (`c->freelist` is NULL) - enter __slab_alloc() - slub_get_cpu_ptr() (disables preemption) - enter ___slab_alloc() - take local_lock_irqsave() - read c->freelist as NULL - get_freelist() returns NULL - write `c->slab = NULL` - drop local_unlock_irqrestore() - goto new_slab - slub_percpu_partial() is NULL - get_partial() returns NULL - slub_put_cpu_ptr() (enables preemption) - [PREEMPT B->A] - task A: finish do_slab_free(): - this_cpu_cmpxchg_double() succeeds() - [CORRUPT STATE: c->slab==NULL, c->freelist!=NULL] From there, the object on c->freelist will get lost if task B is allowed to continue from here: It will proceed to the retry_load_slab label, set c->slab, then jump to load_freelist, which clobbers c->freelist. But if we instead continue as follows, we get worse corruption: - task A: run __slab_free() on object from other struct slab: - CPU_PARTIAL_FREE case (slab was on no list, is now on pcpu partial) - task A: run slab_alloc_node() with NUMA node constraint: - fastpath fails (c->slab is NULL) - call __slab_alloc() - slub_get_cpu_ptr() (disables preemption) - enter ___slab_alloc() - c->slab is NULL: goto new_slab - slub_percpu_partial() is non-NULL - set c->slab to slub_percpu_partial(c) - [CORRUPT STATE: c->slab points to slab-1, c->freelist has objects from slab-2] - goto redo - node_match() fails - goto deactivate_slab - existing c->freelist is passed into deactivate_slab() - inuse count of slab-1 is decremented to account for object from slab-2 At this point, the inuse count of slab-1 is 1 lower than it should be. This means that if we free all allocated objects in slab-1 except for one, SLUB will think that slab-1 is completely unused, and may free its page, leading to use-after-free.
AI-Powered Analysis
Technical Analysis
CVE-2022-49700 is a high-severity vulnerability in the Linux kernel's SLUB memory allocator subsystem, specifically within the slab allocator implementation. The flaw arises from missing updates to the Thread ID (TID) during slab deactivation, which leads to race conditions when multiple operations concurrently access the same CPU slab cache. The slab allocator uses per-CPU caches to optimize memory allocation performance, relying on the stability of the slab pointer as long as the TID remains unchanged. However, two code paths in __slab_alloc() fail to update the TID when deactivating the CPU slab, causing inconsistencies in the slab's freelist and inuse counters. This can result in objects being lost or freed onto the wrong slab's freelist, corrupting internal state. The most severe consequence is that the allocator may mistakenly believe a slab is unused and free its backing page while it still contains allocated objects, leading to use-after-free conditions. Exploiting this vulnerability requires local access with limited privileges (PR:L), no user interaction, and low attack complexity. The impact affects confidentiality, integrity, and availability since use-after-free can lead to arbitrary code execution, privilege escalation, or system crashes. The vulnerability affects multiple Linux kernel versions identified by the same commit hash, indicating a widespread issue across kernel builds. Although no known exploits are publicly reported, the technical complexity and potential for severe memory corruption make it a critical concern for Linux systems relying on SLUB allocator. The CVSS 3.1 base score is 7.8 (high), reflecting the significant risk posed by this flaw.
Potential Impact
For European organizations, the impact of CVE-2022-49700 is substantial, especially those running Linux-based servers, cloud infrastructure, or embedded systems. The vulnerability can lead to use-after-free conditions, enabling attackers with local access to escalate privileges, execute arbitrary code in kernel context, or cause denial of service via system crashes. This threatens the confidentiality and integrity of sensitive data and the availability of critical services. Industries such as finance, telecommunications, healthcare, and government, which heavily rely on Linux servers and virtualized environments, are at heightened risk. Additionally, organizations using Linux in IoT devices or industrial control systems may face operational disruptions. The complexity of exploitation limits remote attacks, but insider threats or compromised user accounts could leverage this flaw to gain kernel-level control. Given the widespread deployment of Linux across European data centers and enterprises, failure to patch this vulnerability could lead to significant security incidents and regulatory compliance issues under frameworks like GDPR.
Mitigation Recommendations
Mitigation requires applying the official Linux kernel patches that address the missing TID updates during slab deactivation. Organizations should prioritize updating to the latest kernel versions containing the fix. Beyond patching, system administrators should: 1) Restrict local access to trusted users only, minimizing the risk of exploitation by unprivileged accounts. 2) Employ kernel hardening techniques such as Kernel Page Table Isolation (KPTI), SELinux/AppArmor policies, and seccomp filters to limit the impact of potential kernel exploits. 3) Monitor kernel logs and system behavior for anomalies indicative of memory corruption or use-after-free exploitation attempts. 4) Use runtime security tools capable of detecting unusual slab allocator behavior or memory corruption patterns. 5) In environments where immediate patching is not feasible, consider isolating vulnerable systems or limiting their exposure to untrusted users. 6) Maintain regular backups and incident response plans to quickly recover from potential exploitation. These targeted measures complement patching and reduce the attack surface related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.443Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe489f
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 7/3/2025, 2:25:37 AM
Last updated: 8/12/2025, 9:25:28 PM
Views: 16
Related Threats
CVE-2025-43732: CWE-639 Authorization Bypass Through User-Controlled Key in Liferay Portal
MediumCVE-2025-9103: Cross Site Scripting in ZenCart
MediumCVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.