Vulnerability DatabaseCVE-2022-32250

CVE-2022-32250:
Linux Kernel vulnerability analysis and mitigation

Overview

CVE-2022-32250 is a use-after-free vulnerability discovered in the Linux kernel's netfilter subsystem (net/netfilter/nftablesapi.c) through version 5.18.1. The vulnerability allows a local user with the ability to create user/net namespaces to escalate privileges to root due to an incorrect NFTSTATEFULEXPR check. The issue was discovered by Aaron Adams and fixed in May 2022 through commit 520778042ccca019f3ffa136dd0ca565c486cedd (Kernel Commit).

Technical details

The vulnerability stems from a failure to properly clean up when a lookup or dynset expression is encountered as a subexpression of a NFTMSGNEWSET command. The nftexprinit() function calls expr->ops->init() first, then checks for NFTSTATEFULEXPR, which allows initialization of non-stateful lookup expressions pointing to a set. This leads to a use-after-free condition since the set is not properly detached from the set->binding. The issue affects multiple expressions, including lookup and dynset expressions. The CVSS v3.1 base score is 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

Successful exploitation of this vulnerability allows a local attacker to escalate privileges to root, potentially leading to complete system compromise. The vulnerability can also be used to cause denial of service through system crashes or memory corruption (Security Online).

Mitigation and workarounds

The primary mitigation is to update the Linux kernel to a patched version. For systems that cannot be immediately updated, a temporary workaround is to disable the ability for unprivileged users to create namespaces by setting: sysctl -w kernel.unprivilegedusernsclone=0 (Ubuntu Security).

Community reactions

The vulnerability received significant attention from the security community due to its high impact and relatively easy exploitability. Multiple security researchers have published detailed technical analyses and proof-of-concept exploits. Major Linux distributions quickly released patches, including Red Hat, Debian, and Ubuntu (Red Hat Bugzilla).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.8

Score

Published June 2, 2022

Severity HIGH

CNA Score N/A

Affected Technologies

Linux Kernel
Bottlerocket

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 82.1

Exploitation Probability (EPSS) 1.8

Affected packages and libraries

kernel-default-devel
kernel-devel-azure

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity HIGHHas FixAdded at: Aug 07, 2022
Bottlerocket GitHub Security Advisories
- Bottlerocket Severity MEDIUMHas FixAdded at: Dec 01, 2022
CBL-Mariner
- CBL-Mariner 1.0, 2.0 Severity HIGHHas FixAdded at: Jun 10, 2023
Debian Security Tracker
- Debian 9 Severity HIGHHas FixAdded at: Jul 01, 2022
- Debian 10 Severity HIGHHas FixAdded at: Jul 03, 2022
- Debian 11, 12 Severity HIGHHas FixAdded at: Jun 20, 2022
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
Photon Security Advisory
- Photon 2.0, 3.0, 4.0 Severity HIGHHas FixAdded at: Jun 26, 2022
Red Hat Errata
- Red Hat 7 Severity HIGHHas FixAdded at: Jul 06, 2022
- Red Hat 8 Severity HIGHHas FixAdded at: Jul 06, 2022
- Red Hat 9 Severity HIGHHas FixAdded at: Sep 06, 2022
Rocky Linux Product Errata
- Rocky 8 Has FixAdded at: May 14, 2023
Ubuntu Security Tracker
- Ubuntu 14.04 Severity HIGHHas FixAdded at: Jul 27, 2022
- Ubuntu 16.04, 18.04, 20.04 Severity HIGHHas FixAdded at: Jul 13, 2022
- Ubuntu 21.10, 22.04 Severity HIGHHas FixAdded at: Nov 01, 2022