CVE-2022-36946

kernel: DoS in nfqnl_mangle in net/netfilter/nfnetlink_queue.c

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.

La función nfqnl_mangle en el archivo net/netfilter/nfnetlink_queue.c en el kernel de Linux versiones hasta 5.18.14, permite a atacantes remotos causar una denegación de servicio (pánico) porque, en el caso de un veredicto nf_queue con un atributo nfta_payload de un byte, un skb_pull puede encontrar un skb-)len negativo

A memory corruption flaw was found in the Linux kernel’s Netfilter subsystem in the way a local user uses the libnetfilter_queue when analyzing a corrupted network packet. This flaw allows a local user to crash the system or a remote user to crash the system when the libnetfilter_queue is used by a local user.

It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter subsystem in the Linux kernel did not properly handle rules that truncated packets below the packet header size. When such rules are in place, a remote attacker could possibly use this to cause a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-27 CVE Reserved
2022-07-27 CVE Published
2023-03-08 First Exploit
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164
https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html	Mailing List
https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html	Mailing List
https://security.netapp.com/advisory/ntap-20220901-0007	Third Party Advisory

URL	Date	SRC
https://github.com/Pwnzer0tt1/CVE-2022-36946	2024-06-21
https://github.com/Satheesh575555/linux-4.19.72_CVE-2022-36946	2023-03-08

URL	Date	SRC
https://marc.info/?l=netfilter-devel&m=165883202007292&w=2	2024-03-25

URL	Date	SRC
https://www.debian.org/security/2022/dsa-5207	2024-03-25
https://access.redhat.com/security/cve/CVE-2022-36946	2024-02-07
https://bugzilla.redhat.com/show_bug.cgi?id=2115278	2024-02-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.14 < 4.9.326 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.14 < 4.9.326"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 4.14.291 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.14.291"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 4.19.255 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.255"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.4.209 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.209"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.10.135 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.135"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 5.15.59 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.59"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16 < 5.18.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 5.18.16"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Solidfire \& Hci Management Node Search vendor "Netapp" for product "Solidfire \& Hci Management Node"				-		-		Affected
Netapp Search vendor "Netapp"		Solidfire \& Hci Storage Node Search vendor "Netapp" for product "Solidfire \& Hci Storage Node"				-		-		Affected
Netapp Search vendor "Netapp"		Solidfire Enterprise Sds Search vendor "Netapp" for product "Solidfire Enterprise Sds"				-		-		Affected
Netapp Search vendor "Netapp"		Hci Compute Node Search vendor "Netapp" for product "Hci Compute Node"				-		-		Affected