CVE-2022-49892: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix use-after-free for dynamic ftrace_ops KASAN reported a use-after-free with ftrace ops [1]. It was found from vmcore that perf had registered two ops with the same content successively, both dynamic. After unregistering the second ops, a use-after-free occurred. In ftrace_shutdown(), when the second ops is unregistered, the FTRACE_UPDATE_CALLS command is not set because there is another enabled ops with the same content. Also, both ops are dynamic and the ftrace callback function is ftrace_ops_list_func, so the FTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value of 'command' will be 0 and ftrace_shutdown() will skip the rcu synchronization. However, ftrace may be activated. When the ops is released, another CPU may be accessing the ops. Add the missing synchronization to fix this problem. [1] BUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline] BUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049 Read of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468 CPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132 show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b4/0x248 lib/dump_stack.c:118 print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387 __kasan_report mm/kasan/report.c:547 [inline] kasan_report+0x118/0x210 mm/kasan/report.c:564 check_memory_region_inline mm/kasan/generic.c:187 [inline] __asan_load8+0x98/0xc0 mm/kasan/generic.c:253 __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline] ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049 ftrace_graph_call+0x0/0x4 __might_sleep+0x8/0x100 include/linux/perf_event.h:1170 __might_fault mm/memory.c:5183 [inline] __might_fault+0x58/0x70 mm/memory.c:5171 do_strncpy_from_user lib/strncpy_from_user.c:41 [inline] strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139 getname_flags+0xb0/0x31c fs/namei.c:149 getname+0x2c/0x40 fs/namei.c:209 [...] Allocated by task 14445: kasan_save_stack+0x24/0x50 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:479 [inline] __kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493 kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:675 [inline] perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230 perf_event_alloc kernel/events/core.c:11733 [inline] __do_sys_perf_event_open kernel/events/core.c:11831 [inline] __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723 __arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723 [...] Freed by task 14445: kasan_save_stack+0x24/0x50 mm/kasan/common.c:48 kasan_set_track+0x24/0x34 mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358 __kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437 __kasan_slab_free mm/kasan/common.c:445 [inline] kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446 slab_free_hook mm/slub.c:1569 [inline] slab_free_freelist_hook mm/slub.c:1608 [inline] slab_free mm/slub.c:3179 [inline] kfree+0x12c/0xc10 mm/slub.c:4176 perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434 perf_event_alloc kernel/events/core.c:11733 [inline] __do_sys_perf_event_open kernel/events/core.c:11831 [inline] __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723 [...]
AI Analysis
Technical Summary
CVE-2022-49892 is a use-after-free vulnerability in the Linux kernel's ftrace subsystem, specifically related to dynamic ftrace_ops. The flaw arises when multiple dynamic ftrace operations with identical content are registered and subsequently unregistered. During the unregistration of the second operation, the kernel fails to set the necessary synchronization commands (FTRACE_UPDATE_CALLS and FTRACE_UPDATE_TRACE_FUNC) because another enabled operation with the same content still exists. This results in the ftrace_shutdown() function skipping the required RCU (Read-Copy-Update) synchronization. Consequently, if ftrace remains active, another CPU might access the freed ftrace_ops structure, leading to a use-after-free condition. This vulnerability was detected by Kernel Address Sanitizer (KASAN) and is evidenced by kernel stack traces showing invalid memory accesses. The root cause is a missing synchronization step during the unregistration process of dynamic ftrace operations, which can cause kernel memory corruption and potential instability or crashes. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes and is relevant to systems using the ftrace feature, which is commonly employed for kernel tracing and performance monitoring.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the stability and security of Linux-based systems, especially those that utilize kernel tracing and performance monitoring tools relying on ftrace. Exploitation could lead to kernel crashes (denial of service) or potentially enable privilege escalation or arbitrary code execution if attackers can manipulate the timing of ftrace operations. Critical infrastructure, cloud service providers, and enterprises running Linux servers or embedded Linux devices could experience service disruptions or compromise. Since Linux is widely deployed across European governments, financial institutions, telecommunications, and industrial control systems, the impact could be broad. The vulnerability does not require user interaction but does require the ability to register and unregister ftrace operations, which might be limited to privileged users or processes. However, in multi-tenant or containerized environments, a malicious tenant might exploit this flaw to affect the host kernel or other tenants. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once patches are widely available.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address this use-after-free vulnerability. Since the vulnerability stems from missing synchronization in ftrace operation unregistration, upgrading to a patched kernel version is the most effective mitigation. In environments where immediate patching is not feasible, organizations should restrict access to kernel tracing features and limit permissions to trusted administrators only. Monitoring kernel logs for KASAN reports or unusual ftrace activity can help detect exploitation attempts. Additionally, employing kernel hardening techniques such as Kernel Page Table Isolation (KPTI), Control Flow Integrity (CFI), and enabling kernel lockdown modes can reduce the attack surface. For containerized or virtualized environments, isolating workloads and minimizing privileged container capabilities can mitigate risk. Regular vulnerability scanning and maintaining an inventory of Linux kernel versions in use will aid in timely identification and remediation. Finally, organizations should test kernel updates in staging environments to ensure stability before production deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49892: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix use-after-free for dynamic ftrace_ops KASAN reported a use-after-free with ftrace ops [1]. It was found from vmcore that perf had registered two ops with the same content successively, both dynamic. After unregistering the second ops, a use-after-free occurred. In ftrace_shutdown(), when the second ops is unregistered, the FTRACE_UPDATE_CALLS command is not set because there is another enabled ops with the same content. Also, both ops are dynamic and the ftrace callback function is ftrace_ops_list_func, so the FTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value of 'command' will be 0 and ftrace_shutdown() will skip the rcu synchronization. However, ftrace may be activated. When the ops is released, another CPU may be accessing the ops. Add the missing synchronization to fix this problem. [1] BUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline] BUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049 Read of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468 CPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132 show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b4/0x248 lib/dump_stack.c:118 print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387 __kasan_report mm/kasan/report.c:547 [inline] kasan_report+0x118/0x210 mm/kasan/report.c:564 check_memory_region_inline mm/kasan/generic.c:187 [inline] __asan_load8+0x98/0xc0 mm/kasan/generic.c:253 __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline] ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049 ftrace_graph_call+0x0/0x4 __might_sleep+0x8/0x100 include/linux/perf_event.h:1170 __might_fault mm/memory.c:5183 [inline] __might_fault+0x58/0x70 mm/memory.c:5171 do_strncpy_from_user lib/strncpy_from_user.c:41 [inline] strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139 getname_flags+0xb0/0x31c fs/namei.c:149 getname+0x2c/0x40 fs/namei.c:209 [...] Allocated by task 14445: kasan_save_stack+0x24/0x50 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:479 [inline] __kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493 kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:675 [inline] perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230 perf_event_alloc kernel/events/core.c:11733 [inline] __do_sys_perf_event_open kernel/events/core.c:11831 [inline] __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723 __arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723 [...] Freed by task 14445: kasan_save_stack+0x24/0x50 mm/kasan/common.c:48 kasan_set_track+0x24/0x34 mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358 __kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437 __kasan_slab_free mm/kasan/common.c:445 [inline] kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446 slab_free_hook mm/slub.c:1569 [inline] slab_free_freelist_hook mm/slub.c:1608 [inline] slab_free mm/slub.c:3179 [inline] kfree+0x12c/0xc10 mm/slub.c:4176 perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434 perf_event_alloc kernel/events/core.c:11733 [inline] __do_sys_perf_event_open kernel/events/core.c:11831 [inline] __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723 [...]
AI-Powered Analysis
Technical Analysis
CVE-2022-49892 is a use-after-free vulnerability in the Linux kernel's ftrace subsystem, specifically related to dynamic ftrace_ops. The flaw arises when multiple dynamic ftrace operations with identical content are registered and subsequently unregistered. During the unregistration of the second operation, the kernel fails to set the necessary synchronization commands (FTRACE_UPDATE_CALLS and FTRACE_UPDATE_TRACE_FUNC) because another enabled operation with the same content still exists. This results in the ftrace_shutdown() function skipping the required RCU (Read-Copy-Update) synchronization. Consequently, if ftrace remains active, another CPU might access the freed ftrace_ops structure, leading to a use-after-free condition. This vulnerability was detected by Kernel Address Sanitizer (KASAN) and is evidenced by kernel stack traces showing invalid memory accesses. The root cause is a missing synchronization step during the unregistration process of dynamic ftrace operations, which can cause kernel memory corruption and potential instability or crashes. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes and is relevant to systems using the ftrace feature, which is commonly employed for kernel tracing and performance monitoring.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the stability and security of Linux-based systems, especially those that utilize kernel tracing and performance monitoring tools relying on ftrace. Exploitation could lead to kernel crashes (denial of service) or potentially enable privilege escalation or arbitrary code execution if attackers can manipulate the timing of ftrace operations. Critical infrastructure, cloud service providers, and enterprises running Linux servers or embedded Linux devices could experience service disruptions or compromise. Since Linux is widely deployed across European governments, financial institutions, telecommunications, and industrial control systems, the impact could be broad. The vulnerability does not require user interaction but does require the ability to register and unregister ftrace operations, which might be limited to privileged users or processes. However, in multi-tenant or containerized environments, a malicious tenant might exploit this flaw to affect the host kernel or other tenants. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once patches are widely available.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address this use-after-free vulnerability. Since the vulnerability stems from missing synchronization in ftrace operation unregistration, upgrading to a patched kernel version is the most effective mitigation. In environments where immediate patching is not feasible, organizations should restrict access to kernel tracing features and limit permissions to trusted administrators only. Monitoring kernel logs for KASAN reports or unusual ftrace activity can help detect exploitation attempts. Additionally, employing kernel hardening techniques such as Kernel Page Table Isolation (KPTI), Control Flow Integrity (CFI), and enabling kernel lockdown modes can reduce the attack surface. For containerized or virtualized environments, isolating workloads and minimizing privileged container capabilities can mitigate risk. Regular vulnerability scanning and maintaining an inventory of Linux kernel versions in use will aid in timely identification and remediation. Finally, organizations should test kernel updates in staging environments to ensure stability before production deployment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.243Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd779
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 1:09:39 AM
Last updated: 8/22/2025, 12:25:59 PM
Views: 13
Related Threats
CVE-2025-53363: CWE-73: External Control of File Name or Path in donknap dpanel
MediumCVE-2025-51605: n/a
UnknownCVE-2025-50674: n/a
UnknownCVE-2025-29365: n/a
UnknownCVE-2025-55573: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.