Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2022-49840

Use After Free

Published: May 01, 2025 | Modified: May 07, 2025
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
5.5 MODERATE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-49840
CWEhttps://cwe.mitre.org/data/definitions/416.html

In the Linux kernel, the following vulnerability has been resolved:

bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()

We got a syzkaller problem because of aarch64 alignment fault if KFENCE enabled. When the size from user bpf program is an odd number, like 399, 407, etc, it will cause the struct skb_shared_infos unaligned access. As seen below:

BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032

Use-after-free read at 0xffff6254fffac077 (in kfence-#213): __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline] arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline] arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline] atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline] __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 skb_clone+0xf4/0x214 net/core/skbuff.c:1481 ____bpf_clone_redirect net/core/filter.c:2433 [inline] bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420 bpf_prog_d3839dd9068ceb51+0x80/0x330 bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline] bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53 bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381

kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512

allocated by task 15074 on cpu 0 at 1342.585390s: kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:675 [inline] bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191 bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381

To fix the problem, we adjust @size so that (@size + @hearoom) is a multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info is aligned to a cache line.

Weakness

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Affected Software

Name Vendor Start Version End Version
Linux_kernel Linux 4.12 (including) 4.14.300 (excluding)
Linux_kernel Linux 4.15 (including) 4.19.267 (excluding)
Linux_kernel Linux 4.20 (including) 5.4.225 (excluding)
Linux_kernel Linux 5.5 (including) 5.10.156 (excluding)
Linux_kernel Linux 5.11 (including) 5.15.80 (excluding)
Linux_kernel Linux 5.16 (including) 6.0.10 (excluding)
Linux_kernel Linux 6.1-rc1 (including) 6.1-rc1 (including)
Linux_kernel Linux 6.1-rc2 (including) 6.1-rc2 (including)
Linux_kernel Linux 6.1-rc3 (including) 6.1-rc3 (including)
Linux_kernel Linux 6.1-rc4 (including) 6.1-rc4 (including)
Linux_kernel Linux 6.1-rc5 (including) 6.1-rc5 (including)
Linux Ubuntu bionic *
Linux Ubuntu focal *
Linux Ubuntu jammy *
Linux Ubuntu upstream *
Linux-allwinner-5.19 Ubuntu jammy *
Linux-allwinner-5.19 Ubuntu upstream *
Linux-aws Ubuntu bionic *
Linux-aws Ubuntu focal *
Linux-aws Ubuntu jammy *
Linux-aws Ubuntu upstream *
Linux-aws-5.0 Ubuntu bionic *
Linux-aws-5.0 Ubuntu esm-infra/bionic *
Linux-aws-5.0 Ubuntu upstream *
Linux-aws-5.11 Ubuntu focal *
Linux-aws-5.11 Ubuntu upstream *
Linux-aws-5.13 Ubuntu focal *
Linux-aws-5.13 Ubuntu upstream *
Linux-aws-5.15 Ubuntu focal *
Linux-aws-5.15 Ubuntu upstream *
Linux-aws-5.19 Ubuntu jammy *
Linux-aws-5.19 Ubuntu upstream *
Linux-aws-5.3 Ubuntu bionic *
Linux-aws-5.3 Ubuntu esm-infra/bionic *
Linux-aws-5.3 Ubuntu upstream *
Linux-aws-5.4 Ubuntu bionic *
Linux-aws-5.4 Ubuntu upstream *
Linux-aws-5.8 Ubuntu focal *
Linux-aws-5.8 Ubuntu upstream *
Linux-aws-6.2 Ubuntu jammy *
Linux-aws-6.2 Ubuntu upstream *
Linux-aws-6.5 Ubuntu jammy *
Linux-aws-6.5 Ubuntu upstream *
Linux-aws-6.8 Ubuntu upstream *
Linux-aws-fips Ubuntu fips-updates/bionic *
Linux-aws-fips Ubuntu fips-updates/focal *
Linux-aws-fips Ubuntu fips/bionic *
Linux-aws-fips Ubuntu fips/focal *
Linux-aws-fips Ubuntu trusty *
Linux-aws-fips Ubuntu upstream *
Linux-aws-fips Ubuntu xenial *
Linux-aws-hwe Ubuntu esm-infra/xenial *
Linux-aws-hwe Ubuntu upstream *
Linux-aws-hwe Ubuntu xenial *
Linux-azure Ubuntu bionic *
Linux-azure Ubuntu esm-infra/bionic *
Linux-azure Ubuntu esm-infra/xenial *
Linux-azure Ubuntu focal *
Linux-azure Ubuntu jammy *
Linux-azure Ubuntu trusty *
Linux-azure Ubuntu trusty/esm *
Linux-azure Ubuntu upstream *
Linux-azure Ubuntu xenial *
Linux-azure-4.15 Ubuntu bionic *
Linux-azure-4.15 Ubuntu upstream *
Linux-azure-5.11 Ubuntu focal *
Linux-azure-5.11 Ubuntu upstream *
Linux-azure-5.13 Ubuntu focal *
Linux-azure-5.13 Ubuntu upstream *
Linux-azure-5.15 Ubuntu focal *
Linux-azure-5.15 Ubuntu upstream *
Linux-azure-5.19 Ubuntu jammy *
Linux-azure-5.19 Ubuntu upstream *
Linux-azure-5.3 Ubuntu bionic *
Linux-azure-5.3 Ubuntu esm-infra/bionic *
Linux-azure-5.3 Ubuntu upstream *
Linux-azure-5.4 Ubuntu bionic *
Linux-azure-5.4 Ubuntu upstream *
Linux-azure-5.8 Ubuntu focal *
Linux-azure-5.8 Ubuntu upstream *
Linux-azure-6.11 Ubuntu upstream *
Linux-azure-6.2 Ubuntu jammy *
Linux-azure-6.2 Ubuntu upstream *
Linux-azure-6.5 Ubuntu jammy *
Linux-azure-6.5 Ubuntu upstream *
Linux-azure-6.8 Ubuntu upstream *
Linux-azure-edge Ubuntu bionic *
Linux-azure-edge Ubuntu esm-infra/bionic *
Linux-azure-edge Ubuntu upstream *
Linux-azure-fde Ubuntu focal *
Linux-azure-fde Ubuntu upstream *
Linux-azure-fde-5.15 Ubuntu upstream *
Linux-azure-fde-5.19 Ubuntu jammy *
Linux-azure-fde-5.19 Ubuntu upstream *
Linux-azure-fde-6.2 Ubuntu jammy *
Linux-azure-fde-6.2 Ubuntu upstream *
Linux-azure-fips Ubuntu fips-updates/bionic *
Linux-azure-fips Ubuntu fips-updates/focal *
Linux-azure-fips Ubuntu fips/bionic *
Linux-azure-fips Ubuntu fips/focal *
Linux-azure-fips Ubuntu trusty *
Linux-azure-fips Ubuntu upstream *
Linux-azure-fips Ubuntu xenial *
Linux-azure-nvidia Ubuntu upstream *
Linux-bluefield Ubuntu bluefield/jammy *
Linux-bluefield Ubuntu focal *
Linux-bluefield Ubuntu upstream *
Linux-fips Ubuntu fips-updates/bionic *
Linux-fips Ubuntu fips-updates/focal *
Linux-fips Ubuntu fips/bionic *
Linux-fips Ubuntu fips/focal *
Linux-fips Ubuntu upstream *
Linux-gcp Ubuntu bionic *
Linux-gcp Ubuntu esm-infra/bionic *
Linux-gcp Ubuntu esm-infra/xenial *
Linux-gcp Ubuntu focal *
Linux-gcp Ubuntu jammy *
Linux-gcp Ubuntu upstream *
Linux-gcp Ubuntu xenial *
Linux-gcp-4.15 Ubuntu bionic *
Linux-gcp-4.15 Ubuntu upstream *
Linux-gcp-5.11 Ubuntu focal *
Linux-gcp-5.11 Ubuntu upstream *
Linux-gcp-5.13 Ubuntu focal *
Linux-gcp-5.13 Ubuntu upstream *
Linux-gcp-5.15 Ubuntu focal *
Linux-gcp-5.15 Ubuntu upstream *
Linux-gcp-5.19 Ubuntu jammy *
Linux-gcp-5.19 Ubuntu upstream *
Linux-gcp-5.3 Ubuntu bionic *
Linux-gcp-5.3 Ubuntu esm-infra/bionic *
Linux-gcp-5.3 Ubuntu upstream *
Linux-gcp-5.4 Ubuntu bionic *
Linux-gcp-5.4 Ubuntu upstream *
Linux-gcp-5.8 Ubuntu focal *
Linux-gcp-5.8 Ubuntu upstream *
Linux-gcp-6.11 Ubuntu upstream *
Linux-gcp-6.2 Ubuntu jammy *
Linux-gcp-6.2 Ubuntu upstream *
Linux-gcp-6.5 Ubuntu jammy *
Linux-gcp-6.5 Ubuntu upstream *
Linux-gcp-6.8 Ubuntu upstream *
Linux-gcp-fips Ubuntu fips-updates/bionic *
Linux-gcp-fips Ubuntu fips-updates/focal *
Linux-gcp-fips Ubuntu fips/bionic *
Linux-gcp-fips Ubuntu fips/focal *
Linux-gcp-fips Ubuntu trusty *
Linux-gcp-fips Ubuntu upstream *
Linux-gcp-fips Ubuntu xenial *
Linux-gke Ubuntu focal *
Linux-gke Ubuntu jammy *
Linux-gke Ubuntu upstream *
Linux-gke Ubuntu xenial *
Linux-gke-4.15 Ubuntu bionic *
Linux-gke-4.15 Ubuntu esm-infra/bionic *
Linux-gke-4.15 Ubuntu upstream *
Linux-gke-5.15 Ubuntu focal *
Linux-gke-5.15 Ubuntu upstream *
Linux-gke-5.4 Ubuntu bionic *
Linux-gke-5.4 Ubuntu esm-infra/bionic *
Linux-gke-5.4 Ubuntu upstream *
Linux-gkeop Ubuntu focal *
Linux-gkeop Ubuntu jammy *
Linux-gkeop Ubuntu upstream *
Linux-gkeop-5.15 Ubuntu focal *
Linux-gkeop-5.15 Ubuntu upstream *
Linux-gkeop-5.4 Ubuntu bionic *
Linux-gkeop-5.4 Ubuntu esm-infra/bionic *
Linux-gkeop-5.4 Ubuntu upstream *
Linux-hwe Ubuntu bionic *
Linux-hwe Ubuntu esm-infra/bionic *
Linux-hwe Ubuntu esm-infra/xenial *
Linux-hwe Ubuntu upstream *
Linux-hwe Ubuntu xenial *
Linux-hwe-5.11 Ubuntu focal *
Linux-hwe-5.11 Ubuntu upstream *
Linux-hwe-5.13 Ubuntu focal *
Linux-hwe-5.13 Ubuntu upstream *
Linux-hwe-5.15 Ubuntu focal *
Linux-hwe-5.15 Ubuntu upstream *
Linux-hwe-5.19 Ubuntu jammy *
Linux-hwe-5.19 Ubuntu upstream *
Linux-hwe-5.4 Ubuntu bionic *
Linux-hwe-5.4 Ubuntu upstream *
Linux-hwe-5.8 Ubuntu focal *
Linux-hwe-5.8 Ubuntu upstream *
Linux-hwe-6.11 Ubuntu upstream *
Linux-hwe-6.2 Ubuntu jammy *
Linux-hwe-6.2 Ubuntu upstream *
Linux-hwe-6.5 Ubuntu jammy *
Linux-hwe-6.5 Ubuntu upstream *
Linux-hwe-6.8 Ubuntu upstream *
Linux-hwe-edge Ubuntu bionic *
Linux-hwe-edge Ubuntu esm-infra/bionic *
Linux-hwe-edge Ubuntu esm-infra/xenial *
Linux-hwe-edge Ubuntu upstream *
Linux-hwe-edge Ubuntu xenial *
Linux-ibm Ubuntu focal *
Linux-ibm Ubuntu jammy *
Linux-ibm Ubuntu upstream *
Linux-ibm-5.15 Ubuntu upstream *
Linux-ibm-5.4 Ubuntu bionic *
Linux-ibm-5.4 Ubuntu upstream *
Linux-intel Ubuntu upstream *
Linux-intel-5.13 Ubuntu focal *
Linux-intel-5.13 Ubuntu upstream *
Linux-intel-iot-realtime Ubuntu realtime/jammy *
Linux-intel-iot-realtime Ubuntu upstream *
Linux-intel-iotg Ubuntu jammy *
Linux-intel-iotg Ubuntu upstream *
Linux-intel-iotg-5.15 Ubuntu focal *
Linux-intel-iotg-5.15 Ubuntu upstream *
Linux-iot Ubuntu focal *
Linux-iot Ubuntu upstream *
Linux-kvm Ubuntu bionic *
Linux-kvm Ubuntu focal *
Linux-kvm Ubuntu jammy *
Linux-kvm Ubuntu upstream *
Linux-lowlatency Ubuntu jammy *
Linux-lowlatency Ubuntu upstream *
Linux-lowlatency-hwe-5.15 Ubuntu focal *
Linux-lowlatency-hwe-5.15 Ubuntu upstream *
Linux-lowlatency-hwe-5.19 Ubuntu jammy *
Linux-lowlatency-hwe-5.19 Ubuntu upstream *
Linux-lowlatency-hwe-6.11 Ubuntu upstream *
Linux-lowlatency-hwe-6.2 Ubuntu jammy *
Linux-lowlatency-hwe-6.2 Ubuntu upstream *
Linux-lowlatency-hwe-6.5 Ubuntu jammy *
Linux-lowlatency-hwe-6.5 Ubuntu upstream *
Linux-lowlatency-hwe-6.8 Ubuntu upstream *
Linux-lts-xenial Ubuntu upstream *
Linux-nvidia Ubuntu jammy *
Linux-nvidia Ubuntu upstream *
Linux-nvidia-6.2 Ubuntu jammy *
Linux-nvidia-6.2 Ubuntu upstream *
Linux-nvidia-6.5 Ubuntu jammy *
Linux-nvidia-6.5 Ubuntu upstream *
Linux-nvidia-6.8 Ubuntu upstream *
Linux-nvidia-lowlatency Ubuntu upstream *
Linux-nvidia-tegra Ubuntu upstream *
Linux-nvidia-tegra-igx Ubuntu upstream *
Linux-oem Ubuntu bionic *
Linux-oem Ubuntu esm-infra/bionic *
Linux-oem Ubuntu upstream *
Linux-oem Ubuntu xenial *
Linux-oem-5.10 Ubuntu focal *
Linux-oem-5.10 Ubuntu upstream *
Linux-oem-5.13 Ubuntu focal *
Linux-oem-5.13 Ubuntu upstream *
Linux-oem-5.14 Ubuntu focal *
Linux-oem-5.14 Ubuntu upstream *
Linux-oem-5.17 Ubuntu jammy *
Linux-oem-5.17 Ubuntu upstream *
Linux-oem-5.6 Ubuntu focal *
Linux-oem-5.6 Ubuntu upstream *
Linux-oem-6.0 Ubuntu jammy *
Linux-oem-6.0 Ubuntu upstream *
Linux-oem-6.1 Ubuntu jammy *
Linux-oem-6.1 Ubuntu upstream *
Linux-oem-6.11 Ubuntu upstream *
Linux-oem-6.5 Ubuntu jammy *
Linux-oem-6.5 Ubuntu upstream *
Linux-oem-6.8 Ubuntu upstream *
Linux-oracle Ubuntu bionic *
Linux-oracle Ubuntu esm-infra/xenial *
Linux-oracle Ubuntu focal *
Linux-oracle Ubuntu jammy *
Linux-oracle Ubuntu upstream *
Linux-oracle Ubuntu xenial *
Linux-oracle-5.0 Ubuntu bionic *
Linux-oracle-5.0 Ubuntu esm-infra/bionic *
Linux-oracle-5.0 Ubuntu upstream *
Linux-oracle-5.11 Ubuntu focal *
Linux-oracle-5.11 Ubuntu upstream *
Linux-oracle-5.13 Ubuntu focal *
Linux-oracle-5.13 Ubuntu upstream *
Linux-oracle-5.15 Ubuntu focal *
Linux-oracle-5.15 Ubuntu upstream *
Linux-oracle-5.3 Ubuntu bionic *
Linux-oracle-5.3 Ubuntu esm-infra/bionic *
Linux-oracle-5.3 Ubuntu upstream *
Linux-oracle-5.4 Ubuntu bionic *
Linux-oracle-5.4 Ubuntu upstream *
Linux-oracle-5.8 Ubuntu focal *
Linux-oracle-5.8 Ubuntu upstream *
Linux-oracle-6.5 Ubuntu jammy *
Linux-oracle-6.5 Ubuntu upstream *
Linux-oracle-6.8 Ubuntu upstream *
Linux-raspi Ubuntu focal *
Linux-raspi Ubuntu jammy *
Linux-raspi Ubuntu upstream *
Linux-raspi-5.4 Ubuntu bionic *
Linux-raspi-5.4 Ubuntu upstream *
Linux-raspi-realtime Ubuntu upstream *
Linux-raspi2 Ubuntu bionic *
Linux-raspi2 Ubuntu focal *
Linux-raspi2 Ubuntu upstream *
Linux-raspi2 Ubuntu xenial *
Linux-realtime Ubuntu jammy *
Linux-realtime Ubuntu noble *
Linux-realtime Ubuntu realtime/jammy *
Linux-realtime Ubuntu upstream *
Linux-riscv Ubuntu focal *
Linux-riscv Ubuntu jammy *
Linux-riscv Ubuntu upstream *
Linux-riscv-5.11 Ubuntu focal *
Linux-riscv-5.11 Ubuntu upstream *
Linux-riscv-5.15 Ubuntu focal *
Linux-riscv-5.15 Ubuntu upstream *
Linux-riscv-5.19 Ubuntu jammy *
Linux-riscv-5.19 Ubuntu upstream *
Linux-riscv-5.8 Ubuntu focal *
Linux-riscv-5.8 Ubuntu upstream *
Linux-riscv-6.5 Ubuntu jammy *
Linux-riscv-6.5 Ubuntu upstream *
Linux-riscv-6.8 Ubuntu upstream *
Linux-starfive-5.19 Ubuntu jammy *
Linux-starfive-5.19 Ubuntu upstream *
Linux-starfive-6.2 Ubuntu jammy *
Linux-starfive-6.2 Ubuntu upstream *
Linux-starfive-6.5 Ubuntu jammy *
Linux-starfive-6.5 Ubuntu upstream *
Linux-xilinx-zynqmp Ubuntu focal *
Linux-xilinx-zynqmp Ubuntu upstream *

Extended Description

The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:

In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use