CVE-2022-49840: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb() We got a syzkaller problem because of aarch64 alignment fault if KFENCE enabled. When the size from user bpf program is an odd number, like 399, 407, etc, it will cause the struct skb_shared_info's unaligned access. As seen below: BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 Use-after-free read at 0xffff6254fffac077 (in kfence-#213): __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline] arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline] arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline] atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline] __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 skb_clone+0xf4/0x214 net/core/skbuff.c:1481 ____bpf_clone_redirect net/core/filter.c:2433 [inline] bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420 bpf_prog_d3839dd9068ceb51+0x80/0x330 bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline] bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53 bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512 allocated by task 15074 on cpu 0 at 1342.585390s: kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:675 [inline] bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191 bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381 To fix the problem, we adjust @size so that (@size + @hearoom) is a multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info is aligned to a cache line.
AI Analysis
Technical Summary
CVE-2022-49840 is a vulnerability identified in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically within the function bpf_prog_test_run_skb(). The issue arises due to an alignment problem on the aarch64 architecture when Kernel Electric Fence (KFENCE) is enabled. KFENCE is a kernel memory error detector designed to catch use-after-free and other memory corruption bugs. The vulnerability manifests when the size parameter from a user BPF program is an odd number (e.g., 399, 407), leading to unaligned access of the struct skb_shared_info, which is critical for managing socket buffer metadata in the networking stack. This unaligned access triggers a use-after-free read error, as evidenced by the KFENCE bug report showing a use-after-free read in __skb_clone() within net/core/skbuff.c. The root cause is that the size plus headroom is not aligned to SMP_CACHE_BYTES, causing the struct skb_shared_info to be misaligned relative to the CPU cache line size. The fix involves adjusting the size parameter so that (size + headroom) aligns properly to SMP_CACHE_BYTES, ensuring that skb_shared_info is cache-line aligned and preventing unaligned memory accesses that lead to use-after-free conditions. This vulnerability is specific to Linux kernel versions containing the affected commit (hash 1cf1cae963c2e6032aebe1637e995bc2f5d330f4) and affects systems running on ARM64 architecture with KFENCE enabled. Although no known exploits are reported in the wild, the vulnerability could be triggered by malicious or malformed BPF programs that manipulate socket buffers, potentially leading to kernel memory corruption and instability.
Potential Impact
For European organizations, the impact of CVE-2022-49840 primarily concerns systems running Linux kernels on ARM64 platforms with KFENCE enabled, which are often found in embedded devices, network appliances, and cloud infrastructure nodes. Exploitation could lead to kernel memory corruption, causing system crashes, denial of service, or potentially enabling privilege escalation if combined with other vulnerabilities. This could disrupt critical services, especially in sectors relying on ARM64-based Linux servers or network devices such as telecommunications, cloud service providers, and industrial control systems. The use-after-free condition could be leveraged by attackers to execute arbitrary code in kernel space or cause persistent instability, impacting confidentiality, integrity, and availability of systems. Given the increasing adoption of ARM64 servers and edge computing devices in Europe, the vulnerability poses a tangible risk to infrastructure stability and security if unpatched. However, the requirement for KFENCE to be enabled and the need for crafted BPF programs somewhat limit the attack surface, reducing the likelihood of widespread exploitation but not eliminating risk in targeted attacks.
Mitigation Recommendations
To mitigate CVE-2022-49840, European organizations should: 1) Apply the latest Linux kernel patches that address this alignment issue, ensuring that the fix aligning skb_shared_info to SMP_CACHE_BYTES is included. 2) Audit and control the deployment of BPF programs, restricting untrusted or user-supplied BPF code execution, especially on ARM64 systems with KFENCE enabled. 3) Disable KFENCE in production environments where it is not required, as it is primarily a debugging tool, to reduce exposure. 4) Implement strict kernel module and syscall filtering policies to limit the ability of unprivileged users to invoke BPF-related syscalls. 5) Monitor kernel logs and KFENCE reports for signs of use-after-free or alignment faults that could indicate exploitation attempts. 6) For embedded and network devices, coordinate with vendors to ensure firmware and kernel updates are applied promptly. 7) Employ runtime security tools capable of detecting anomalous kernel memory behavior and BPF misuse. These steps go beyond generic patching by emphasizing control over BPF program execution and kernel debugging features that influence exploitability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2022-49840: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb() We got a syzkaller problem because of aarch64 alignment fault if KFENCE enabled. When the size from user bpf program is an odd number, like 399, 407, etc, it will cause the struct skb_shared_info's unaligned access. As seen below: BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 Use-after-free read at 0xffff6254fffac077 (in kfence-#213): __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline] arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline] arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline] atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline] __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 skb_clone+0xf4/0x214 net/core/skbuff.c:1481 ____bpf_clone_redirect net/core/filter.c:2433 [inline] bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420 bpf_prog_d3839dd9068ceb51+0x80/0x330 bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline] bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53 bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512 allocated by task 15074 on cpu 0 at 1342.585390s: kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:675 [inline] bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191 bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381 To fix the problem, we adjust @size so that (@size + @hearoom) is a multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info is aligned to a cache line.
AI-Powered Analysis
Technical Analysis
CVE-2022-49840 is a vulnerability identified in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically within the function bpf_prog_test_run_skb(). The issue arises due to an alignment problem on the aarch64 architecture when Kernel Electric Fence (KFENCE) is enabled. KFENCE is a kernel memory error detector designed to catch use-after-free and other memory corruption bugs. The vulnerability manifests when the size parameter from a user BPF program is an odd number (e.g., 399, 407), leading to unaligned access of the struct skb_shared_info, which is critical for managing socket buffer metadata in the networking stack. This unaligned access triggers a use-after-free read error, as evidenced by the KFENCE bug report showing a use-after-free read in __skb_clone() within net/core/skbuff.c. The root cause is that the size plus headroom is not aligned to SMP_CACHE_BYTES, causing the struct skb_shared_info to be misaligned relative to the CPU cache line size. The fix involves adjusting the size parameter so that (size + headroom) aligns properly to SMP_CACHE_BYTES, ensuring that skb_shared_info is cache-line aligned and preventing unaligned memory accesses that lead to use-after-free conditions. This vulnerability is specific to Linux kernel versions containing the affected commit (hash 1cf1cae963c2e6032aebe1637e995bc2f5d330f4) and affects systems running on ARM64 architecture with KFENCE enabled. Although no known exploits are reported in the wild, the vulnerability could be triggered by malicious or malformed BPF programs that manipulate socket buffers, potentially leading to kernel memory corruption and instability.
Potential Impact
For European organizations, the impact of CVE-2022-49840 primarily concerns systems running Linux kernels on ARM64 platforms with KFENCE enabled, which are often found in embedded devices, network appliances, and cloud infrastructure nodes. Exploitation could lead to kernel memory corruption, causing system crashes, denial of service, or potentially enabling privilege escalation if combined with other vulnerabilities. This could disrupt critical services, especially in sectors relying on ARM64-based Linux servers or network devices such as telecommunications, cloud service providers, and industrial control systems. The use-after-free condition could be leveraged by attackers to execute arbitrary code in kernel space or cause persistent instability, impacting confidentiality, integrity, and availability of systems. Given the increasing adoption of ARM64 servers and edge computing devices in Europe, the vulnerability poses a tangible risk to infrastructure stability and security if unpatched. However, the requirement for KFENCE to be enabled and the need for crafted BPF programs somewhat limit the attack surface, reducing the likelihood of widespread exploitation but not eliminating risk in targeted attacks.
Mitigation Recommendations
To mitigate CVE-2022-49840, European organizations should: 1) Apply the latest Linux kernel patches that address this alignment issue, ensuring that the fix aligning skb_shared_info to SMP_CACHE_BYTES is included. 2) Audit and control the deployment of BPF programs, restricting untrusted or user-supplied BPF code execution, especially on ARM64 systems with KFENCE enabled. 3) Disable KFENCE in production environments where it is not required, as it is primarily a debugging tool, to reduce exposure. 4) Implement strict kernel module and syscall filtering policies to limit the ability of unprivileged users to invoke BPF-related syscalls. 5) Monitor kernel logs and KFENCE reports for signs of use-after-free or alignment faults that could indicate exploitation attempts. 6) For embedded and network devices, coordinate with vendors to ensure firmware and kernel updates are applied promptly. 7) Employ runtime security tools capable of detecting anomalous kernel memory behavior and BPF misuse. These steps go beyond generic patching by emphasizing control over BPF program execution and kernel debugging features that influence exploitability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.229Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4de9
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 2:26:06 AM
Last updated: 8/14/2025, 9:01:45 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.