CVE-2022-49873
bpf: Fix wrong reg type conversion in release_reference()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix wrong reg type conversion in release_reference() Some helper functions will allocate memory. To avoid memory leaks, the
verifier requires the eBPF program to release these memories by calling
the corresponding helper functions. When a resource is released, all pointer registers corresponding to the
resource should be invalidated. The verifier use release_references() to
do this job, by apply __mark_reg_unknown() to each relevant register. It will give these registers the type of SCALAR_VALUE. A register that
will contain a pointer value at runtime, but of type SCALAR_VALUE, which
may allow the unprivileged user to get a kernel pointer by storing this
register into a map. Using __mark_reg_not_init() while NOT allow_ptr_leaks can mitigate this
problem.
A flaw was found in the eBPF subsystem in the Linux kernel. When a resource is released, the pointer registers related to the resource are incorrectly converted to the wrong type, allowing kernel pointers to be exposed to unprivileged users.
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix wrong reg type conversion in release_reference() Some helper functions will allocate memory. To avoid memory leaks, the verifier requires the eBPF program to release these memories by calling the corresponding helper functions. When a resource is released, all pointer registers corresponding to the resource should be invalidated. The verifier use release_references() to do this job, by apply __mark_reg_unknown() to each relevant register. It will give these registers the type of SCALAR_VALUE. A register that will contain a pointer value at runtime, but of type SCALAR_VALUE, which may allow the unprivileged user to get a kernel pointer by storing this register into a map. Using __mark_reg_not_init() while NOT allow_ptr_leaks can mitigate this problem.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2025-05-01 CVE Reserved
- 2025-05-01 CVE Published
- 2025-10-01 CVE Updated
- 2025-12-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-704: Incorrect Type Conversion or Cast
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/fd978bf7fd312581a7ca454a991f0ffb34c4204b | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2022-49873 | 2023-11-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2363467 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.20 < 5.10.155 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.10.155" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.20 < 5.15.79 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.15.79" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.20 < 6.0.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.0.9" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.20 < 6.1 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.1" | en |
Affected
| ||||||