CVE-2022-49236: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49236 is a use-after-free vulnerability discovered in the Linux kernel's BPF (Berkeley Packet Filter) subsystem. The vulnerability exists in the interaction between btftrygetmodule and loadmodule functions, where a race condition can occur during module loading. This vulnerability was disclosed in February 2025 and affects the Linux kernel's BTF (BPF Type Format) implementation (Kernel Git).

The vulnerability occurs when BTF parsing happens from MODULESTATECOMING notifier callback, before module initcalls are invoked. The notifier callback parses and prepares the module BTF, allocates an ID, publishes it to userspace, and adds it to btfmodules list. However, the module is not fully initialized at this point, and the code in module.c can fail and free the module without considering other users. This creates a race condition where btftrygetmodule can succeed between MODULESTATECOMING to MODULESTATELIVE state transition, leading to a use-after-free condition when the BPF program loads successfully but the module initialization fails (Kernel Git). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can allow an attacker with local access to potentially corrupt system memory, crash the system, or escalate privileges. The use-after-free condition can be triggered when a BPF program loads successfully during the state transition, but the module's initialization fails, leading to potential memory corruption (Red Hat).

The fix involves setting a BTFMODULEFLIVE flag from the notifier callback when MODULESTATELIVE state is reached for the module. This ensures that btftrygetmodule returns NULL for modules that are not fully formed. The fix has been implemented in the kernel, and system administrators should update to a patched version (Kernel Git).