Wiz
Vulnerability DatabaseCVE-2022-0185

CVE-2022-0185
Linux Kernel vulnerability analysis and mitigation

Overview

CVE-2022-0185 is a heap-based buffer overflow vulnerability discovered in the Linux kernel's Filesystem Context functionality, specifically in the legacyparseparam function. The vulnerability was introduced in Linux kernel version 5.1-rc1 in March 2019 and affects all versions up to 5.16. The flaw was discovered by researchers William Liu and Jamie Hill-Daniel and was patched on January 18, 2022 (CVE Mitre, Ubuntu Security).

Technical details

The vulnerability stems from an integer underflow condition in the legacyparseparam function within fs/fscontext.c. When handling legacy parameters, the function performs a bounds check using the calculation 'PAGESIZE - 2 - size', but since 'size' is an unsigned type, a large value can cause an underflow, resulting in a high positive value instead of the expected negative value. This bypasses the length verification check and allows for an out-of-bounds write. The vulnerability can be triggered by an unprivileged user with CAPSYSADMIN privileges in their namespace, which can be obtained through unshare(CLONENEWNS|CLONENEWUSER) (Sysdig Blog, Will's Root).

Impact

The vulnerability has a CVSS score of 8.4 (High severity) and can lead to privilege escalation, container escape, and full system compromise. A successful exploit allows attackers to gain root privileges on the host system, potentially gaining control over all containers running on the system. This access enables attackers to target internal network resources and deploy malicious containers within the production environment (Sysdig Blog, NetApp Security).

Mitigation and workarounds

The primary mitigation is to install the Linux Kernel patch released on January 18, 2022. For systems that cannot be immediately patched, administrators can disable unprivileged user namespaces by setting 'kernel.unprivilegedusernsclone=0' on Ubuntu systems or modifying the user.maxusernamespaces setting on Red Hat systems. The fix involves changing the bounds check in the legacyparseparam function to prevent the integer underflow condition (Sysdig Blog).

Additional resources

SourceThis report was generated using AI

Related Linux Kernel vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-40205HIGH7.8
  • Linux KernelLinux Kernel
  • linux-azure-6.14
NoYesNov 12, 2025
CVE-2025-40211HIGH7.1
  • Linux KernelLinux Kernel
  • linux-gcp-5.15
NoYesNov 21, 2025
CVE-2025-40206MEDIUM5.5
  • Linux KernelLinux Kernel
  • linux-raspi
NoYesNov 12, 2025
CVE-2025-40210MEDIUM5.1
  • Linux KernelLinux Kernel
  • linux-realtime
NoYesNov 21, 2025
CVE-2025-40212N/AN/A
  • Linux KernelLinux Kernel
  • kernel-rt-64k-modules
NoYesNov 24, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo