CVE-2022-49911: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: enforce documented limit to prevent allocating huge memory Daniel Xu reported that the hash:net,iface type of the ipset subsystem does not limit adding the same network with different interfaces to a set, which can lead to huge memory usage or allocation failure. The quick reproducer is $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0 $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done The backtrace when vmalloc fails: [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages <...> [Tue Oct 25 00:13:08 2022] Call Trace: [Tue Oct 25 00:13:08 2022] <TASK> [Tue Oct 25 00:13:08 2022] dump_stack_lvl+0x48/0x60 [Tue Oct 25 00:13:08 2022] warn_alloc+0x155/0x180 [Tue Oct 25 00:13:08 2022] __vmalloc_node_range+0x72a/0x760 [Tue Oct 25 00:13:08 2022] ? hash_netiface4_add+0x7c0/0xb20 [Tue Oct 25 00:13:08 2022] ? __kmalloc_large_node+0x4a/0x90 [Tue Oct 25 00:13:08 2022] kvmalloc_node+0xa6/0xd0 [Tue Oct 25 00:13:08 2022] ? hash_netiface4_resize+0x99/0x710 <...> The fix is to enforce the limit documented in the ipset(8) manpage: > The internal restriction of the hash:net,iface set type is that the same > network prefix cannot be stored with more than 64 different interfaces > in a single set.
AI Analysis
Technical Summary
CVE-2022-49911 is a vulnerability identified in the Linux kernel's netfilter ipset subsystem, specifically affecting the hash:net,iface type. The ipset subsystem is used to manage IP sets for firewall rules and network filtering. The vulnerability arises because the system does not enforce the documented limit on the number of different interfaces that can be associated with the same network prefix in a single set. This omission allows an attacker or misconfigured system to add the same network prefix with more than 64 different interfaces, which leads to excessive memory allocation requests. The excessive memory allocation can cause the kernel to fail vmalloc calls, resulting in allocation failures and potentially leading to denial of service (DoS) conditions due to resource exhaustion. The issue is reproducible by creating a large ipset with a high hashsize and adding multiple entries of the same network prefix with different interface identifiers. The kernel logs show vmalloc errors and stack traces indicating memory allocation failures. The fix implemented enforces the limit of no more than 64 different interfaces per network prefix in a single ipset, as documented in the ipset manpage. This prevents the creation of excessively large data structures and mitigates the risk of memory exhaustion. No known exploits in the wild have been reported, and no CVSS score has been assigned yet. The vulnerability primarily impacts Linux systems using ipset with the hash:net,iface type, which is common in firewall and network filtering configurations.
Potential Impact
For European organizations, the impact of CVE-2022-49911 could be significant in environments where Linux-based firewalls or network filtering systems rely on ipset with the hash:net,iface type. Exploitation of this vulnerability could lead to denial of service conditions by exhausting kernel memory resources, causing network filtering services to fail or degrade. This could disrupt critical network security controls, potentially allowing unauthorized traffic or causing outages in protected services. Organizations with complex network segmentation or multi-interface setups are more likely to use such ipsets and thus face higher risk. The impact is primarily on availability and system stability rather than confidentiality or integrity. However, the resulting downtime or degraded network security posture could indirectly affect data protection and compliance obligations under European regulations such as GDPR. Since Linux is widely used in European enterprise, government, and telecom infrastructure, the vulnerability could affect a broad range of sectors. The lack of known exploits reduces immediate risk, but the potential for DoS attacks in critical network infrastructure warrants prompt attention.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Apply the latest Linux kernel updates that include the fix enforcing the 64-interface limit per network prefix in ipset. 2) Audit existing ipset configurations to identify any sets using hash:net,iface type and verify they comply with the documented limits. 3) Implement monitoring of kernel logs for vmalloc errors or ipset-related warnings that could indicate attempted exploitation or misconfiguration. 4) Limit administrative access to ipset configuration tools to trusted personnel to prevent accidental or malicious creation of large ipsets. 5) In environments with automated configuration management, add validation checks to prevent creation of ipsets exceeding the documented limits. 6) Consider network segmentation and firewall design to minimize reliance on large ipsets with multiple interfaces. 7) Engage with Linux distribution vendors or security mailing lists to stay informed about patches and advisories related to this vulnerability. These steps go beyond generic advice by focusing on configuration auditing, monitoring, and operational controls specific to ipset usage.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2022-49911: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: enforce documented limit to prevent allocating huge memory Daniel Xu reported that the hash:net,iface type of the ipset subsystem does not limit adding the same network with different interfaces to a set, which can lead to huge memory usage or allocation failure. The quick reproducer is $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0 $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done The backtrace when vmalloc fails: [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages <...> [Tue Oct 25 00:13:08 2022] Call Trace: [Tue Oct 25 00:13:08 2022] <TASK> [Tue Oct 25 00:13:08 2022] dump_stack_lvl+0x48/0x60 [Tue Oct 25 00:13:08 2022] warn_alloc+0x155/0x180 [Tue Oct 25 00:13:08 2022] __vmalloc_node_range+0x72a/0x760 [Tue Oct 25 00:13:08 2022] ? hash_netiface4_add+0x7c0/0xb20 [Tue Oct 25 00:13:08 2022] ? __kmalloc_large_node+0x4a/0x90 [Tue Oct 25 00:13:08 2022] kvmalloc_node+0xa6/0xd0 [Tue Oct 25 00:13:08 2022] ? hash_netiface4_resize+0x99/0x710 <...> The fix is to enforce the limit documented in the ipset(8) manpage: > The internal restriction of the hash:net,iface set type is that the same > network prefix cannot be stored with more than 64 different interfaces > in a single set.
AI-Powered Analysis
Technical Analysis
CVE-2022-49911 is a vulnerability identified in the Linux kernel's netfilter ipset subsystem, specifically affecting the hash:net,iface type. The ipset subsystem is used to manage IP sets for firewall rules and network filtering. The vulnerability arises because the system does not enforce the documented limit on the number of different interfaces that can be associated with the same network prefix in a single set. This omission allows an attacker or misconfigured system to add the same network prefix with more than 64 different interfaces, which leads to excessive memory allocation requests. The excessive memory allocation can cause the kernel to fail vmalloc calls, resulting in allocation failures and potentially leading to denial of service (DoS) conditions due to resource exhaustion. The issue is reproducible by creating a large ipset with a high hashsize and adding multiple entries of the same network prefix with different interface identifiers. The kernel logs show vmalloc errors and stack traces indicating memory allocation failures. The fix implemented enforces the limit of no more than 64 different interfaces per network prefix in a single ipset, as documented in the ipset manpage. This prevents the creation of excessively large data structures and mitigates the risk of memory exhaustion. No known exploits in the wild have been reported, and no CVSS score has been assigned yet. The vulnerability primarily impacts Linux systems using ipset with the hash:net,iface type, which is common in firewall and network filtering configurations.
Potential Impact
For European organizations, the impact of CVE-2022-49911 could be significant in environments where Linux-based firewalls or network filtering systems rely on ipset with the hash:net,iface type. Exploitation of this vulnerability could lead to denial of service conditions by exhausting kernel memory resources, causing network filtering services to fail or degrade. This could disrupt critical network security controls, potentially allowing unauthorized traffic or causing outages in protected services. Organizations with complex network segmentation or multi-interface setups are more likely to use such ipsets and thus face higher risk. The impact is primarily on availability and system stability rather than confidentiality or integrity. However, the resulting downtime or degraded network security posture could indirectly affect data protection and compliance obligations under European regulations such as GDPR. Since Linux is widely used in European enterprise, government, and telecom infrastructure, the vulnerability could affect a broad range of sectors. The lack of known exploits reduces immediate risk, but the potential for DoS attacks in critical network infrastructure warrants prompt attention.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Apply the latest Linux kernel updates that include the fix enforcing the 64-interface limit per network prefix in ipset. 2) Audit existing ipset configurations to identify any sets using hash:net,iface type and verify they comply with the documented limits. 3) Implement monitoring of kernel logs for vmalloc errors or ipset-related warnings that could indicate attempted exploitation or misconfiguration. 4) Limit administrative access to ipset configuration tools to trusted personnel to prevent accidental or malicious creation of large ipsets. 5) In environments with automated configuration management, add validation checks to prevent creation of ipsets exceeding the documented limits. 6) Consider network segmentation and firewall design to minimize reliance on large ipsets with multiple interfaces. 7) Engage with Linux distribution vendors or security mailing lists to stay informed about patches and advisories related to this vulnerability. These steps go beyond generic advice by focusing on configuration auditing, monitoring, and operational controls specific to ipset usage.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.248Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe4022
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 8:39:58 PM
Last updated: 7/29/2025, 2:05:49 AM
Views: 13
Related Threats
CVE-2025-8975: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-55716: CWE-862 Missing Authorization in VeronaLabs WP Statistics
MediumCVE-2025-55714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crocoblock JetElements For Elementor
MediumCVE-2025-55713: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CreativeThemes Blocksy
MediumCVE-2025-55712: CWE-862 Missing Authorization in POSIMYTH The Plus Addons for Elementor Page Builder Lite
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.