1. Home
  2. Vulnerabilities
  3. CVE-2022-49667
7.8
HIGH CVSS 3.1
CVE-2022-49667
Linux Bonding 802.3ad Use-After-Free Vulnerability
Description

In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free after 802.3ad slave unbind commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), resolve case, when there is several aggregation groups in the same bond. bond_3ad_unbind_slave will invalidate (clear) aggregator when __agg_active_ports return zero. So, ad_clear_agg can be executed even, when num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave will not update slave ports list, because lag_ports==NULL. So, here we got slave ports, pointing to freed aggregator memory. Fix with checking actual number of ports in group (as was before commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), before ad_clear_agg(). The KASAN logs are as follows: [ 767.617392] ================================================================== [ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470 [ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767 [ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15 [ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler [ 767.666468] Call trace: [ 767.668930] dump_backtrace+0x0/0x2d0 [ 767.672625] show_stack+0x24/0x30 [ 767.675965] dump_stack_lvl+0x68/0x84 [ 767.679659] print_address_description.constprop.0+0x74/0x2b8 [ 767.685451] kasan_report+0x1f0/0x260 [ 767.689148] __asan_load2+0x94/0xd0 [ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470

INFO

Published Date :

Feb. 26, 2025, 7:01 a.m.

Last Modified :

March 24, 2025, 7:07 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2022-49667 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH 134c704f-9b21-4f2e-91b3-4a467353bcc0
Solution
Update the Linux kernel to fix a use-after-free vulnerability in bonding.
  • Update the Linux kernel to the latest stable version.
  • Apply the specific patch addressing the bonding vulnerability.
  • Recompile the kernel if compiling from source.
  • Reboot the system after applying updates.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2022-49667.

URL Resource
https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562 Patch
https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc Patch
https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6 Patch
https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8 Patch
https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e Patch
https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6 Patch
https://git.kernel.org/stable/c/ef0af7d08d26c5333ff4944a559279464edf6f15 Patch
https://git.kernel.org/stable/c/f162f7c348fa2a5555bafdb5cc890b89b221e69c Patch
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2022-49667 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2022-49667 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2022-49667 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2022-49667 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Mar. 24, 2025

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.53 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 5.18.10 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.7 up to (excluding) 4.9.322 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.10 up to (excluding) 4.14.287 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.251 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.204 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.129
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/ef0af7d08d26c5333ff4944a559279464edf6f15 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/f162f7c348fa2a5555bafdb5cc890b89b221e69c Types: Patch
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 27, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-416
  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Feb. 26, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free after 802.3ad slave unbind commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), resolve case, when there is several aggregation groups in the same bond. bond_3ad_unbind_slave will invalidate (clear) aggregator when __agg_active_ports return zero. So, ad_clear_agg can be executed even, when num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave will not update slave ports list, because lag_ports==NULL. So, here we got slave ports, pointing to freed aggregator memory. Fix with checking actual number of ports in group (as was before commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), before ad_clear_agg(). The KASAN logs are as follows: [ 767.617392] ================================================================== [ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470 [ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767 [ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15 [ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler [ 767.666468] Call trace: [ 767.668930] dump_backtrace+0x0/0x2d0 [ 767.672625] show_stack+0x24/0x30 [ 767.675965] dump_stack_lvl+0x68/0x84 [ 767.679659] print_address_description.constprop.0+0x74/0x2b8 [ 767.685451] kasan_report+0x1f0/0x260 [ 767.689148] __asan_load2+0x94/0xd0 [ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
    Added Reference https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562
    Added Reference https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc
    Added Reference https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6
    Added Reference https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8
    Added Reference https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e
    Added Reference https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6
    Added Reference https://git.kernel.org/stable/c/ef0af7d08d26c5333ff4944a559279464edf6f15
    Added Reference https://git.kernel.org/stable/c/f162f7c348fa2a5555bafdb5cc890b89b221e69c
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 7.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact