CVE-2022-49799: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix wild-memory-access in register_synth_event() In register_synth_event(), if set_synth_event_print_fmt() failed, then both trace_remove_event_call() and unregister_trace_event() will be called, which means the trace_event_call will call __unregister_trace_event() twice. As the result, the second unregister will causes the wild-memory-access. register_synth_event set_synth_event_print_fmt failed trace_remove_event_call event_remove if call->event.funcs then __unregister_trace_event (first call) unregister_trace_event __unregister_trace_event (second call) Fix the bug by avoiding to call the second __unregister_trace_event() by checking if the first one is called. general protection fault, probably for non-canonical address 0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0xdead000000000120-0xdead000000000127] CPU: 0 PID: 3807 Comm: modprobe Not tainted 6.1.0-rc1-00186-g76f33a7eedb4 #299 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:unregister_trace_event+0x6e/0x280 Code: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b RSP: 0018:ffff88810413f370 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000 RDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20 RBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481 R10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122 R13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028 FS: 00007f7823e8d540(0000) GS:ffff888119e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __create_synth_event+0x1e37/0x1eb0 create_or_delete_synth_event+0x110/0x250 synth_event_run_command+0x2f/0x110 test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test] synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test] do_one_initcall+0xdb/0x480 do_init_module+0x1cf/0x680 load_module+0x6a50/0x70a0 __do_sys_finit_module+0x12f/0x1c0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
AI Analysis
Technical Summary
CVE-2022-49799 is a vulnerability identified in the Linux kernel's tracing subsystem, specifically within the function register_synth_event(). The issue arises when the function set_synth_event_print_fmt() fails during the registration process of a synthetic trace event. In this failure scenario, the kernel erroneously calls both trace_remove_event_call() and unregister_trace_event(), resulting in the trace_event_call invoking __unregister_trace_event() twice on the same event. This double unregistration leads to a wild memory access, which is an out-of-bounds or use-after-free memory access, potentially causing kernel instability or crashes. The vulnerability manifests as a general protection fault, often triggered by non-canonical memory addresses, as evidenced by kernel address sanitizer (KASAN) reports and kernel panic traces. The root cause is a lack of proper state tracking to prevent the second call to __unregister_trace_event() after the first has already been executed. The fix involves adding a check to ensure that the second unregister call is skipped if the first has already occurred, thereby preventing the wild memory access. This vulnerability affects Linux kernel versions prior to the patch and is related to kernel tracing infrastructure, which is widely used for debugging and performance monitoring. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing kernel tracing features for diagnostics or monitoring. Exploitation could lead to kernel crashes or denial of service (DoS), impacting system availability and potentially causing disruptions in critical infrastructure, cloud services, and enterprise environments relying on Linux servers. While direct privilege escalation or remote code execution is not explicitly indicated, the instability caused by wild memory access could be leveraged in complex attack chains. Organizations in sectors such as finance, telecommunications, manufacturing, and government, which heavily depend on Linux-based systems, may experience operational interruptions. Additionally, embedded Linux devices used in industrial control systems or IoT deployments across Europe could be affected if they run unpatched kernels. The absence of known exploits reduces immediate risk, but the vulnerability's nature warrants prompt attention to prevent future exploitation attempts.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, they should apply the latest stable kernel releases that include the fix preventing double unregistration in register_synth_event(). For environments where immediate patching is challenging, disabling or limiting the use of synthetic trace events and kernel tracing features can reduce exposure. System administrators should audit kernel modules and tracing configurations to identify usage of the affected functions. Employing kernel address sanitizers (KASAN) or similar runtime memory error detectors in testing environments can help detect related issues proactively. Additionally, organizations should implement robust monitoring for kernel crashes or unusual system behavior indicative of wild memory access. Coordinating with Linux distribution maintainers to ensure timely patch deployment and verifying kernel versions across infrastructure is critical. For embedded devices, firmware updates incorporating patched kernels should be prioritized. Finally, maintaining strict access controls to kernel debugging and tracing interfaces will limit the potential for exploitation by unauthorized users.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49799: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix wild-memory-access in register_synth_event() In register_synth_event(), if set_synth_event_print_fmt() failed, then both trace_remove_event_call() and unregister_trace_event() will be called, which means the trace_event_call will call __unregister_trace_event() twice. As the result, the second unregister will causes the wild-memory-access. register_synth_event set_synth_event_print_fmt failed trace_remove_event_call event_remove if call->event.funcs then __unregister_trace_event (first call) unregister_trace_event __unregister_trace_event (second call) Fix the bug by avoiding to call the second __unregister_trace_event() by checking if the first one is called. general protection fault, probably for non-canonical address 0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0xdead000000000120-0xdead000000000127] CPU: 0 PID: 3807 Comm: modprobe Not tainted 6.1.0-rc1-00186-g76f33a7eedb4 #299 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:unregister_trace_event+0x6e/0x280 Code: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b RSP: 0018:ffff88810413f370 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000 RDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20 RBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481 R10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122 R13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028 FS: 00007f7823e8d540(0000) GS:ffff888119e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __create_synth_event+0x1e37/0x1eb0 create_or_delete_synth_event+0x110/0x250 synth_event_run_command+0x2f/0x110 test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test] synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test] do_one_initcall+0xdb/0x480 do_init_module+0x1cf/0x680 load_module+0x6a50/0x70a0 __do_sys_finit_module+0x12f/0x1c0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
AI-Powered Analysis
Technical Analysis
CVE-2022-49799 is a vulnerability identified in the Linux kernel's tracing subsystem, specifically within the function register_synth_event(). The issue arises when the function set_synth_event_print_fmt() fails during the registration process of a synthetic trace event. In this failure scenario, the kernel erroneously calls both trace_remove_event_call() and unregister_trace_event(), resulting in the trace_event_call invoking __unregister_trace_event() twice on the same event. This double unregistration leads to a wild memory access, which is an out-of-bounds or use-after-free memory access, potentially causing kernel instability or crashes. The vulnerability manifests as a general protection fault, often triggered by non-canonical memory addresses, as evidenced by kernel address sanitizer (KASAN) reports and kernel panic traces. The root cause is a lack of proper state tracking to prevent the second call to __unregister_trace_event() after the first has already been executed. The fix involves adding a check to ensure that the second unregister call is skipped if the first has already occurred, thereby preventing the wild memory access. This vulnerability affects Linux kernel versions prior to the patch and is related to kernel tracing infrastructure, which is widely used for debugging and performance monitoring. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing kernel tracing features for diagnostics or monitoring. Exploitation could lead to kernel crashes or denial of service (DoS), impacting system availability and potentially causing disruptions in critical infrastructure, cloud services, and enterprise environments relying on Linux servers. While direct privilege escalation or remote code execution is not explicitly indicated, the instability caused by wild memory access could be leveraged in complex attack chains. Organizations in sectors such as finance, telecommunications, manufacturing, and government, which heavily depend on Linux-based systems, may experience operational interruptions. Additionally, embedded Linux devices used in industrial control systems or IoT deployments across Europe could be affected if they run unpatched kernels. The absence of known exploits reduces immediate risk, but the vulnerability's nature warrants prompt attention to prevent future exploitation attempts.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Specifically, they should apply the latest stable kernel releases that include the fix preventing double unregistration in register_synth_event(). For environments where immediate patching is challenging, disabling or limiting the use of synthetic trace events and kernel tracing features can reduce exposure. System administrators should audit kernel modules and tracing configurations to identify usage of the affected functions. Employing kernel address sanitizers (KASAN) or similar runtime memory error detectors in testing environments can help detect related issues proactively. Additionally, organizations should implement robust monitoring for kernel crashes or unusual system behavior indicative of wild memory access. Coordinating with Linux distribution maintainers to ensure timely patch deployment and verifying kernel versions across infrastructure is critical. For embedded devices, firmware updates incorporating patched kernels should be prioritized. Finally, maintaining strict access controls to kernel debugging and tracing interfaces will limit the potential for exploitation by unauthorized users.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.225Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4c2a
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 1:42:48 AM
Last updated: 8/15/2025, 7:55:14 PM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.