CVE-2022-32250
Linux Kernel nf_tables_expr_destroy Use-After-Free Privilege Escalation Vulnerability
Severity Score
7.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
6
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.
El archivo net/netfilter/nf_tables_api.c en el kernel de Linux versiones hasta 5.18.1, permite a un usuario local (capaz de crear espacios de nombres de usuario/red) escalar privilegios a root porque una comprobaciĆ³n incorrecta de NFT_STATEFUL_EXPR conlleva a un uso de memoria previamente liberada
A use-after-free vulnerability was found in the Linux kernel's Netfilter subsystem in net/netfilter/nf_tables_api.c. This flaw allows a local attacker with user access to cause a privilege escalation issue.
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the nf_tables_expr_destroy method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.
*Credits:
Bien Pham (@bienpnn)
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-06-02 CVE Reserved
- 2022-06-02 CVE Published
- 2023-02-04 First Exploit
- 2024-08-03 CVE Updated
- 2024-08-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-416: Use After Free
CAPEC
References (21)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2022/06/20/1 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2022/07/03/5 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2022/07/03/6 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2022/09/02/9 | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html | Mailing List |
|
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO6Y3TC4WUUNKRP7OQA26OVTZTPCS6F2 | X_refsource_misc |
|
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UIZTJOJCVVEJVOQSCHE6IJQKMPISHQ5L | X_refsource_misc |
|
| https://security.netapp.com/advisory/ntap-20220715-0005 | Third Party Advisory |
|
| https://www.debian.org/security/2022/dsa-5161 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/theori-io/CVE-2022-32250-exploit | 2024-08-03 | |
| https://github.com/ysanatomic/CVE-2022-32250-LPE | 2023-02-04 | |
| https://github.com/Kristal-g/CVE-2022-32250 | 2024-06-09 | |
| http://www.openwall.com/lists/oss-security/2022/06/03/1 | 2024-08-03 | |
| https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022 | 2024-08-03 | |
| https://www.openwall.com/lists/oss-security/2022/05/31/1 | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2092427 | 2022-09-19 | |
| https://www.debian.org/security/2022/dsa-5173 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2022-32250 | 2022-09-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Netapp Search vendor "Netapp" | H300s Firmware Search vendor "Netapp" for product "H300s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H300s Search vendor "Netapp" for product "H300s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H500s Firmware Search vendor "Netapp" for product "H500s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H500s Search vendor "Netapp" for product "H500s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H700s Firmware Search vendor "Netapp" for product "H700s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H700s Search vendor "Netapp" for product "H700s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H410s Firmware Search vendor "Netapp" for product "H410s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H410s Search vendor "Netapp" for product "H410s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H410c Firmware Search vendor "Netapp" for product "H410c Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H410c Search vendor "Netapp" for product "H410c" | - | - |
Safe
|
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 4.9.318 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 4.9.318" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 4.14.283 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.14.283" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 4.19.247 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.247" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.20 < 5.4.198 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.198" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.5 < 5.10.120 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.120" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.11 < 5.15.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.45" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.16 < 5.17.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 5.17.13" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.18 < 5.18.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 5.18.2" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||