CVE-2022-49764: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent bpf program recursion for raw tracepoint probes We got report from sysbot [1] about warnings that were caused by bpf program attached to contention_begin raw tracepoint triggering the same tracepoint by using bpf_trace_printk helper that takes trace_printk_lock lock. Call Trace: <TASK> ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90 bpf_trace_printk+0x2b/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 __unfreeze_partials+0x5b/0x160 ... The can be reproduced by attaching bpf program as raw tracepoint on contention_begin tracepoint. The bpf prog calls bpf_trace_printk helper. Then by running perf bench the spin lock code is forced to take slow path and call contention_begin tracepoint. Fixing this by skipping execution of the bpf program if it's already running, Using bpf prog 'active' field, which is being currently used by trampoline programs for the same reason. Moving bpf_prog_inc_misses_counter to syscall.c because trampoline.c is compiled in just for CONFIG_BPF_JIT option. [1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t
AI Analysis
Technical Summary
CVE-2022-49764 is a vulnerability identified in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to raw tracepoint probes. The issue arises when a BPF program is attached to the 'contention_begin' raw tracepoint and uses the bpf_trace_printk helper function. This helper function acquires the trace_printk_lock lock, and the BPF program's invocation of this helper can recursively trigger the same tracepoint, leading to reentrant calls. The vulnerability manifests as a recursion problem where the BPF program repeatedly triggers itself via the tracepoint, causing a call stack overflow or excessive resource consumption. The kernel call trace provided shows multiple nested calls to bpf_trace_printk and bpf_prog functions, indicating this recursive behavior. The problem can be reproduced by attaching a BPF program to the contention_begin tracepoint and running a workload (such as 'perf bench') that forces the spin lock code to take the slow path, triggering the tracepoint repeatedly. The fix implemented involves skipping the execution of a BPF program if it is already running, using the BPF program's 'active' field to detect recursion. This approach prevents the recursive invocation of the same BPF program. Additionally, some internal kernel code was refactored to move the bpf_prog_inc_misses_counter function to syscall.c for better compilation compatibility. This vulnerability is significant because BPF programs are widely used for performance monitoring, tracing, and security enforcement in Linux environments. Recursive invocation can lead to kernel instability, potential denial of service, or unpredictable behavior. No known exploits in the wild have been reported, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and similar builds. The vulnerability was publicly disclosed in May 2025.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with eBPF enabled and using raw tracepoint probes for monitoring or security purposes. Many enterprises, cloud providers, and critical infrastructure operators in Europe rely on Linux-based systems for servers, networking equipment, and embedded devices. Exploitation of this vulnerability could lead to kernel instability or denial of service conditions, impacting availability of critical services. In environments where BPF programs are used extensively for observability or security (e.g., intrusion detection, performance monitoring), this vulnerability could be triggered inadvertently or maliciously, causing service disruptions. Although no known exploits exist currently, the potential for denial of service or kernel crashes could affect data centers, telecom infrastructure, and industrial control systems. The impact on confidentiality and integrity is limited as this vulnerability does not directly allow privilege escalation or arbitrary code execution. However, availability degradation in critical systems could have cascading effects on business operations and service delivery. Organizations in sectors such as finance, healthcare, telecommunications, and government services in Europe should consider this vulnerability seriously due to their dependence on Linux-based infrastructure and the criticality of uptime.
Mitigation Recommendations
To mitigate CVE-2022-49764, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for this vulnerability as soon as they become available. Monitor vendor advisories for updated kernel packages. 2) Audit and review BPF programs deployed in their environments, especially those attached to raw tracepoints like 'contention_begin'. Avoid or limit the use of bpf_trace_printk helper calls within these programs to reduce risk of recursion. 3) Implement strict controls on who can load or modify BPF programs, restricting this capability to trusted administrators to prevent accidental or malicious deployment of vulnerable BPF code. 4) Monitor kernel logs and system behavior for signs of recursive BPF program execution or unusual tracepoint activity that could indicate attempts to trigger this vulnerability. 5) In environments where immediate patching is not feasible, consider disabling or limiting eBPF raw tracepoint probes temporarily as a workaround, balancing operational needs with security. 6) Engage with Linux distribution vendors and security communities to stay informed about backported fixes and best practices for secure BPF usage. These steps go beyond generic advice by focusing on specific BPF program management and kernel patching strategies tailored to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49764: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent bpf program recursion for raw tracepoint probes We got report from sysbot [1] about warnings that were caused by bpf program attached to contention_begin raw tracepoint triggering the same tracepoint by using bpf_trace_printk helper that takes trace_printk_lock lock. Call Trace: <TASK> ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90 bpf_trace_printk+0x2b/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 __unfreeze_partials+0x5b/0x160 ... The can be reproduced by attaching bpf program as raw tracepoint on contention_begin tracepoint. The bpf prog calls bpf_trace_printk helper. Then by running perf bench the spin lock code is forced to take slow path and call contention_begin tracepoint. Fixing this by skipping execution of the bpf program if it's already running, Using bpf prog 'active' field, which is being currently used by trampoline programs for the same reason. Moving bpf_prog_inc_misses_counter to syscall.c because trampoline.c is compiled in just for CONFIG_BPF_JIT option. [1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t
AI-Powered Analysis
Technical Analysis
CVE-2022-49764 is a vulnerability identified in the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically related to raw tracepoint probes. The issue arises when a BPF program is attached to the 'contention_begin' raw tracepoint and uses the bpf_trace_printk helper function. This helper function acquires the trace_printk_lock lock, and the BPF program's invocation of this helper can recursively trigger the same tracepoint, leading to reentrant calls. The vulnerability manifests as a recursion problem where the BPF program repeatedly triggers itself via the tracepoint, causing a call stack overflow or excessive resource consumption. The kernel call trace provided shows multiple nested calls to bpf_trace_printk and bpf_prog functions, indicating this recursive behavior. The problem can be reproduced by attaching a BPF program to the contention_begin tracepoint and running a workload (such as 'perf bench') that forces the spin lock code to take the slow path, triggering the tracepoint repeatedly. The fix implemented involves skipping the execution of a BPF program if it is already running, using the BPF program's 'active' field to detect recursion. This approach prevents the recursive invocation of the same BPF program. Additionally, some internal kernel code was refactored to move the bpf_prog_inc_misses_counter function to syscall.c for better compilation compatibility. This vulnerability is significant because BPF programs are widely used for performance monitoring, tracing, and security enforcement in Linux environments. Recursive invocation can lead to kernel instability, potential denial of service, or unpredictable behavior. No known exploits in the wild have been reported, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and similar builds. The vulnerability was publicly disclosed in May 2025.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with eBPF enabled and using raw tracepoint probes for monitoring or security purposes. Many enterprises, cloud providers, and critical infrastructure operators in Europe rely on Linux-based systems for servers, networking equipment, and embedded devices. Exploitation of this vulnerability could lead to kernel instability or denial of service conditions, impacting availability of critical services. In environments where BPF programs are used extensively for observability or security (e.g., intrusion detection, performance monitoring), this vulnerability could be triggered inadvertently or maliciously, causing service disruptions. Although no known exploits exist currently, the potential for denial of service or kernel crashes could affect data centers, telecom infrastructure, and industrial control systems. The impact on confidentiality and integrity is limited as this vulnerability does not directly allow privilege escalation or arbitrary code execution. However, availability degradation in critical systems could have cascading effects on business operations and service delivery. Organizations in sectors such as finance, healthcare, telecommunications, and government services in Europe should consider this vulnerability seriously due to their dependence on Linux-based infrastructure and the criticality of uptime.
Mitigation Recommendations
To mitigate CVE-2022-49764, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for this vulnerability as soon as they become available. Monitor vendor advisories for updated kernel packages. 2) Audit and review BPF programs deployed in their environments, especially those attached to raw tracepoints like 'contention_begin'. Avoid or limit the use of bpf_trace_printk helper calls within these programs to reduce risk of recursion. 3) Implement strict controls on who can load or modify BPF programs, restricting this capability to trusted administrators to prevent accidental or malicious deployment of vulnerable BPF code. 4) Monitor kernel logs and system behavior for signs of recursive BPF program execution or unusual tracepoint activity that could indicate attempts to trigger this vulnerability. 5) In environments where immediate patching is not feasible, consider disabling or limiting eBPF raw tracepoint probes temporarily as a workaround, balancing operational needs with security. 6) Engage with Linux distribution vendors and security communities to stay informed about backported fixes and best practices for secure BPF usage. These steps go beyond generic advice by focusing on specific BPF program management and kernel patching strategies tailored to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T07:17:33.804Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4acb
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 1:11:58 AM
Last updated: 8/11/2025, 6:43:40 PM
Views: 13
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.