CVE-2022-47929: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-47929 is a NULL pointer dereference vulnerability discovered in the Linux kernel's traffic control subsystem before version 6.1.6. The vulnerability allows an unprivileged user to trigger a denial of service (system crash) by setting up a crafted traffic control configuration using 'tc qdisc' and 'tc class' commands. This specifically affects the qdiscgraft function in net/sched/schapi.c (NVD, Cloudflare Blog).

The vulnerability stems from a NULL pointer dereference in the devqueuexmit() path when applying noqueue to a classful queue discipline. The issue occurs because classful queue disciplines bypass the NULL check in devqueuexmit() as the discipline is set to HTB, and then in _devxmitskb(), it calls htbenqueue() which assumes ->enqueue() is not NULL. This was introduced in commit d66d6c3152e8 ('net: sched: register noqueue qdisc'). The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Cloudflare Blog).

When successfully exploited, this vulnerability allows an unprivileged local user to cause a denial of service by crashing the system. The impact is particularly concerning because it can be triggered through USER namespaces, which are commonly used by container technologies like Docker and Podman (Cloudflare Blog).

The vulnerability was fixed in Linux kernel version 6.1.6 by disallowing noqueue for qdisc classes, as documented in the Linux TC Notes. The fix enforces the original design intention that classes cannot be set to the noqueue discipline. For systems that cannot immediately update to the patched kernel version, it's recommended to consider hardening USER namespaces by setting sysctl -w kernel.unprivilegedusernsclone=0 or implementing other namespace restrictions (Cloudflare Blog).