CVE-2022-49796: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing: kprobe: Fix potential null-ptr-deref on trace_array in kprobe_event_gen_test_exit() When test_gen_kprobe_cmd() failed after kprobe_event_gen_cmd_end(), it will goto delete, which will call kprobe_event_delete() and release the corresponding resource. However, the trace_array in gen_kretprobe_test will point to the invalid resource. Set gen_kretprobe_test to NULL after called kprobe_event_delete() to prevent null-ptr-deref. BUG: kernel NULL pointer dereference, address: 0000000000000070 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 246 Comm: modprobe Tainted: G W 6.1.0-rc1-00174-g9522dc5c87da-dirty #248 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:__ftrace_set_clr_event_nolock+0x53/0x1b0 Code: e8 82 26 fc ff 49 8b 1e c7 44 24 0c ea ff ff ff 49 39 de 0f 84 3c 01 00 00 c7 44 24 18 00 00 00 00 e8 61 26 fc ff 48 8b 6b 10 <44> 8b 65 70 4c 8b 6d 18 41 f7 c4 00 02 00 00 75 2f RSP: 0018:ffffc9000159fe00 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88810971d268 RCX: 0000000000000000 RDX: ffff8881080be600 RSI: ffffffff811b48ff RDI: ffff88810971d058 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc9000159fe58 R11: 0000000000000001 R12: ffffffffa0001064 R13: ffffffffa000106c R14: ffff88810971d238 R15: 0000000000000000 FS: 00007f89eeff6540(0000) GS:ffff88813b600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000070 CR3: 000000010599e004 CR4: 0000000000330ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __ftrace_set_clr_event+0x3e/0x60 trace_array_set_clr_event+0x35/0x50 ? 0xffffffffa0000000 kprobe_event_gen_test_exit+0xcd/0x10b [kprobe_event_gen_test] __x64_sys_delete_module+0x206/0x380 ? lockdep_hardirqs_on_prepare+0xd8/0x190 ? syscall_enter_from_user_mode+0x1c/0x50 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f89eeb061b7
AI Analysis
Technical Summary
CVE-2022-49796 is a vulnerability identified in the Linux kernel's tracing subsystem, specifically related to the kprobe functionality. Kprobes are a kernel debugging mechanism that allows dynamic instrumentation of kernel code. The vulnerability arises in the function kprobe_event_gen_test_exit(), where a failure in test_gen_kprobe_cmd() after kprobe_event_gen_cmd_end() leads to a control flow path that calls kprobe_event_delete() to release resources. However, after resource release, the trace_array pointer in gen_kretprobe_test is not set to NULL, resulting in a dangling pointer referencing freed memory. Subsequent access to this invalid pointer causes a NULL pointer dereference (null-ptr-deref) and kernel oops, leading to a system crash or kernel panic. The provided kernel log snippet shows the crash occurring at __ftrace_set_clr_event_nolock(), triggered during module deletion (modprobe), indicating that this vulnerability can be triggered by unprivileged or privileged users attempting to manipulate kernel probes or modules. The root cause is improper cleanup and pointer invalidation after resource deallocation in the kprobe event generation test code. While no known exploits are reported in the wild, the vulnerability can cause denial of service (DoS) by crashing the kernel. The vulnerability affects Linux kernel versions prior to the patch that sets gen_kretprobe_test to NULL after kprobe_event_delete(), preventing the null pointer dereference. This issue is particularly relevant for systems that utilize kernel tracing and debugging features, including development, testing, and production environments running Linux kernels with kprobe support.
Potential Impact
For European organizations, the primary impact of CVE-2022-49796 is the potential for denial of service due to kernel crashes triggered by the null pointer dereference in the Linux kernel's tracing subsystem. This can disrupt critical services, especially in environments relying on Linux servers for infrastructure, cloud services, or embedded systems. Organizations using Linux for production workloads, including telecommunications, finance, manufacturing, and public sector services, may experience system instability or outages if the vulnerability is exploited or triggered unintentionally. Although exploitation does not appear to allow privilege escalation or data compromise directly, the resulting kernel panic can lead to downtime, loss of availability, and operational disruption. Systems that enable kernel tracing or debugging features are at higher risk, including development and testing platforms. The absence of known exploits in the wild reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels necessitates prompt attention to avoid accidental or malicious triggering. The impact is heightened in environments with strict uptime requirements or critical infrastructure, where kernel crashes can have cascading effects on service delivery and compliance obligations.
Mitigation Recommendations
To mitigate CVE-2022-49796, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability, ensuring that the fix which sets gen_kretprobe_test to NULL after resource deletion is included. 2) Review and restrict the use of kernel tracing and kprobe features to trusted administrators only, minimizing exposure to unprivileged users who could trigger the issue. 3) Implement kernel hardening and monitoring to detect abnormal kernel oops or crashes related to tracing activities. 4) In environments where immediate patching is challenging, consider disabling kernel tracing features temporarily if they are not essential, to reduce attack surface. 5) Conduct thorough testing of kernel updates in staging environments to verify stability and compatibility before deployment in production. 6) Maintain an inventory of Linux kernel versions in use across infrastructure to identify vulnerable systems promptly. 7) Educate system administrators about the vulnerability and the importance of controlled use of kernel debugging tools. These measures go beyond generic advice by focusing on kernel tracing feature management and operational controls specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2022-49796: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing: kprobe: Fix potential null-ptr-deref on trace_array in kprobe_event_gen_test_exit() When test_gen_kprobe_cmd() failed after kprobe_event_gen_cmd_end(), it will goto delete, which will call kprobe_event_delete() and release the corresponding resource. However, the trace_array in gen_kretprobe_test will point to the invalid resource. Set gen_kretprobe_test to NULL after called kprobe_event_delete() to prevent null-ptr-deref. BUG: kernel NULL pointer dereference, address: 0000000000000070 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 246 Comm: modprobe Tainted: G W 6.1.0-rc1-00174-g9522dc5c87da-dirty #248 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:__ftrace_set_clr_event_nolock+0x53/0x1b0 Code: e8 82 26 fc ff 49 8b 1e c7 44 24 0c ea ff ff ff 49 39 de 0f 84 3c 01 00 00 c7 44 24 18 00 00 00 00 e8 61 26 fc ff 48 8b 6b 10 <44> 8b 65 70 4c 8b 6d 18 41 f7 c4 00 02 00 00 75 2f RSP: 0018:ffffc9000159fe00 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88810971d268 RCX: 0000000000000000 RDX: ffff8881080be600 RSI: ffffffff811b48ff RDI: ffff88810971d058 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc9000159fe58 R11: 0000000000000001 R12: ffffffffa0001064 R13: ffffffffa000106c R14: ffff88810971d238 R15: 0000000000000000 FS: 00007f89eeff6540(0000) GS:ffff88813b600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000070 CR3: 000000010599e004 CR4: 0000000000330ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __ftrace_set_clr_event+0x3e/0x60 trace_array_set_clr_event+0x35/0x50 ? 0xffffffffa0000000 kprobe_event_gen_test_exit+0xcd/0x10b [kprobe_event_gen_test] __x64_sys_delete_module+0x206/0x380 ? lockdep_hardirqs_on_prepare+0xd8/0x190 ? syscall_enter_from_user_mode+0x1c/0x50 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f89eeb061b7
AI-Powered Analysis
Technical Analysis
CVE-2022-49796 is a vulnerability identified in the Linux kernel's tracing subsystem, specifically related to the kprobe functionality. Kprobes are a kernel debugging mechanism that allows dynamic instrumentation of kernel code. The vulnerability arises in the function kprobe_event_gen_test_exit(), where a failure in test_gen_kprobe_cmd() after kprobe_event_gen_cmd_end() leads to a control flow path that calls kprobe_event_delete() to release resources. However, after resource release, the trace_array pointer in gen_kretprobe_test is not set to NULL, resulting in a dangling pointer referencing freed memory. Subsequent access to this invalid pointer causes a NULL pointer dereference (null-ptr-deref) and kernel oops, leading to a system crash or kernel panic. The provided kernel log snippet shows the crash occurring at __ftrace_set_clr_event_nolock(), triggered during module deletion (modprobe), indicating that this vulnerability can be triggered by unprivileged or privileged users attempting to manipulate kernel probes or modules. The root cause is improper cleanup and pointer invalidation after resource deallocation in the kprobe event generation test code. While no known exploits are reported in the wild, the vulnerability can cause denial of service (DoS) by crashing the kernel. The vulnerability affects Linux kernel versions prior to the patch that sets gen_kretprobe_test to NULL after kprobe_event_delete(), preventing the null pointer dereference. This issue is particularly relevant for systems that utilize kernel tracing and debugging features, including development, testing, and production environments running Linux kernels with kprobe support.
Potential Impact
For European organizations, the primary impact of CVE-2022-49796 is the potential for denial of service due to kernel crashes triggered by the null pointer dereference in the Linux kernel's tracing subsystem. This can disrupt critical services, especially in environments relying on Linux servers for infrastructure, cloud services, or embedded systems. Organizations using Linux for production workloads, including telecommunications, finance, manufacturing, and public sector services, may experience system instability or outages if the vulnerability is exploited or triggered unintentionally. Although exploitation does not appear to allow privilege escalation or data compromise directly, the resulting kernel panic can lead to downtime, loss of availability, and operational disruption. Systems that enable kernel tracing or debugging features are at higher risk, including development and testing platforms. The absence of known exploits in the wild reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels necessitates prompt attention to avoid accidental or malicious triggering. The impact is heightened in environments with strict uptime requirements or critical infrastructure, where kernel crashes can have cascading effects on service delivery and compliance obligations.
Mitigation Recommendations
To mitigate CVE-2022-49796, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability, ensuring that the fix which sets gen_kretprobe_test to NULL after resource deletion is included. 2) Review and restrict the use of kernel tracing and kprobe features to trusted administrators only, minimizing exposure to unprivileged users who could trigger the issue. 3) Implement kernel hardening and monitoring to detect abnormal kernel oops or crashes related to tracing activities. 4) In environments where immediate patching is challenging, consider disabling kernel tracing features temporarily if they are not essential, to reduce attack surface. 5) Conduct thorough testing of kernel updates in staging environments to verify stability and compatibility before deployment in production. 6) Maintain an inventory of Linux kernel versions in use across infrastructure to identify vulnerable systems promptly. 7) Educate system administrators about the vulnerability and the importance of controlled use of kernel debugging tools. These measures go beyond generic advice by focusing on kernel tracing feature management and operational controls specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.224Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4c12
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 1:42:07 AM
Last updated: 7/26/2025, 3:27:06 PM
Views: 10
Related Threats
CVE-2025-8854: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in bulletphysics bullet3
HighCVE-2025-8830: OS Command Injection in Linksys RE6250
MediumCVE-2025-54878: CWE-122: Heap-based Buffer Overflow in nasa CryptoLib
HighCVE-2025-40920: CWE-340 Generation of Predictable Numbers or Identifiers in ETHER Catalyst::Authentication::Credential::HTTP
HighCarmaker’s Portal Vulnerability Could Have Allowed Hackers to Unlock Vehicles and Access Data
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.