CVE-2022-49779: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace case In __unregister_kprobe_top(), if the currently unregistered probe has post_handler but other child probes of the aggrprobe do not have post_handler, the post_handler of the aggrprobe is cleared. If this is a ftrace-based probe, there is a problem. In later calls to disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in __disarm_kprobe_ftrace() and may even cause use-after-free: Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2) WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0 Modules linked in: testKprobe_007(-) CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18 [...] Call Trace: <TASK> __disable_kprobe+0xcd/0xe0 __unregister_kprobe_top+0x12/0x150 ? mutex_lock+0xe/0x30 unregister_kprobes.part.23+0x31/0xa0 unregister_kprobe+0x32/0x40 __x64_sys_delete_module+0x15e/0x260 ? do_user_addr_fault+0x2cd/0x6b0 do_syscall_64+0x3a/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] For the kprobe-on-ftrace case, we keep the post_handler setting to identify this aggrprobe armed with kprobe_ipmodify_ops. This way we can disarm it correctly.
AI Analysis
Technical Summary
CVE-2022-49779 is a vulnerability identified in the Linux kernel's kprobes subsystem, specifically related to the handling of aggregated probes (aggrprobe) in the kprobe-on-ftrace scenario. Kprobes is a kernel debugging mechanism that allows dynamic instrumentation of kernel code by inserting probes at specified points. The vulnerability arises in the __unregister_kprobe_top() function, where the post_handler callback of an aggrprobe is incorrectly cleared if the currently unregistered probe has a post_handler but other child probes do not. This improper clearing leads to a mismatch in the disarming process of the probe. In the kprobe-on-ftrace case, the system mistakenly uses kprobe_ftrace_ops for disarming when it should use kprobe_ipmodify_ops, causing a WARN message and potentially triggering a use-after-free condition. This can lead to kernel instability or crashes due to improper memory handling. The patch corrects this by preserving the post_handler setting for aggrprobes armed with kprobe_ipmodify_ops, ensuring proper disarming and preventing the use-after-free scenario. This vulnerability affects Linux kernel versions prior to the fix and is particularly relevant for systems utilizing kprobes for debugging or monitoring kernel behavior.
Potential Impact
The vulnerability primarily impacts the stability and integrity of Linux systems that use kprobes, especially those employing kprobe-on-ftrace for dynamic tracing. Exploitation could lead to kernel warnings, crashes, or use-after-free conditions, potentially causing denial of service (DoS) through system instability or kernel panics. For European organizations, many of which rely on Linux-based infrastructure for servers, cloud environments, and embedded systems, this vulnerability could disrupt critical services, leading to downtime and operational impact. While there is no evidence of active exploitation, the potential for kernel crashes can affect high-availability environments, industrial control systems, and telecommunications infrastructure. Additionally, any kernel-level instability could be leveraged as part of a broader attack chain, increasing risk to confidentiality and integrity if combined with other vulnerabilities.
Mitigation Recommendations
Organizations should promptly apply the official Linux kernel patches that address CVE-2022-49779 to ensure the correct handling of kprobe post_handler callbacks. System administrators should audit their use of kprobes, especially in production environments, and consider temporarily disabling kprobe-on-ftrace functionality if patching is delayed and if the use of such probes is not critical. Monitoring kernel logs for WARN messages related to kprobes can help detect attempts to trigger this vulnerability. For environments using custom or third-party kernel modules that leverage kprobes, validate compatibility with patched kernels. Additionally, implement strict kernel module loading policies and use security modules like SELinux or AppArmor to restrict unauthorized kernel debugging activities. Regularly update Linux distributions to incorporate the latest security fixes and maintain robust backup and recovery procedures to mitigate potential downtime.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49779: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace case In __unregister_kprobe_top(), if the currently unregistered probe has post_handler but other child probes of the aggrprobe do not have post_handler, the post_handler of the aggrprobe is cleared. If this is a ftrace-based probe, there is a problem. In later calls to disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in __disarm_kprobe_ftrace() and may even cause use-after-free: Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2) WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0 Modules linked in: testKprobe_007(-) CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18 [...] Call Trace: <TASK> __disable_kprobe+0xcd/0xe0 __unregister_kprobe_top+0x12/0x150 ? mutex_lock+0xe/0x30 unregister_kprobes.part.23+0x31/0xa0 unregister_kprobe+0x32/0x40 __x64_sys_delete_module+0x15e/0x260 ? do_user_addr_fault+0x2cd/0x6b0 do_syscall_64+0x3a/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] For the kprobe-on-ftrace case, we keep the post_handler setting to identify this aggrprobe armed with kprobe_ipmodify_ops. This way we can disarm it correctly.
AI-Powered Analysis
Technical Analysis
CVE-2022-49779 is a vulnerability identified in the Linux kernel's kprobes subsystem, specifically related to the handling of aggregated probes (aggrprobe) in the kprobe-on-ftrace scenario. Kprobes is a kernel debugging mechanism that allows dynamic instrumentation of kernel code by inserting probes at specified points. The vulnerability arises in the __unregister_kprobe_top() function, where the post_handler callback of an aggrprobe is incorrectly cleared if the currently unregistered probe has a post_handler but other child probes do not. This improper clearing leads to a mismatch in the disarming process of the probe. In the kprobe-on-ftrace case, the system mistakenly uses kprobe_ftrace_ops for disarming when it should use kprobe_ipmodify_ops, causing a WARN message and potentially triggering a use-after-free condition. This can lead to kernel instability or crashes due to improper memory handling. The patch corrects this by preserving the post_handler setting for aggrprobes armed with kprobe_ipmodify_ops, ensuring proper disarming and preventing the use-after-free scenario. This vulnerability affects Linux kernel versions prior to the fix and is particularly relevant for systems utilizing kprobes for debugging or monitoring kernel behavior.
Potential Impact
The vulnerability primarily impacts the stability and integrity of Linux systems that use kprobes, especially those employing kprobe-on-ftrace for dynamic tracing. Exploitation could lead to kernel warnings, crashes, or use-after-free conditions, potentially causing denial of service (DoS) through system instability or kernel panics. For European organizations, many of which rely on Linux-based infrastructure for servers, cloud environments, and embedded systems, this vulnerability could disrupt critical services, leading to downtime and operational impact. While there is no evidence of active exploitation, the potential for kernel crashes can affect high-availability environments, industrial control systems, and telecommunications infrastructure. Additionally, any kernel-level instability could be leveraged as part of a broader attack chain, increasing risk to confidentiality and integrity if combined with other vulnerabilities.
Mitigation Recommendations
Organizations should promptly apply the official Linux kernel patches that address CVE-2022-49779 to ensure the correct handling of kprobe post_handler callbacks. System administrators should audit their use of kprobes, especially in production environments, and consider temporarily disabling kprobe-on-ftrace functionality if patching is delayed and if the use of such probes is not critical. Monitoring kernel logs for WARN messages related to kprobes can help detect attempts to trigger this vulnerability. For environments using custom or third-party kernel modules that leverage kprobes, validate compatibility with patched kernels. Additionally, implement strict kernel module loading policies and use security modules like SELinux or AppArmor to restrict unauthorized kernel debugging activities. Regularly update Linux distributions to incorporate the latest security fixes and maintain robust backup and recovery procedures to mitigate potential downtime.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T07:17:33.806Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4b5b
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 1:27:00 AM
Last updated: 8/15/2025, 9:51:19 AM
Views: 18
Related Threats
CVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalCVE-2025-8675: CWE-918 Server-Side Request Forgery (SSRF) in Drupal AI SEO Link Advisor
MediumCVE-2025-8362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal GoogleTag Manager
MediumCVE-2025-8361: CWE-962 Missing Authorization in Drupal Config Pages
HighCVE-2025-8092: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal COOKiES Consent Management
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.