CVE-2022-48929

MEDIUM EPSS 11.1%
Published Aug 22, 20241y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Aug 22, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to out of bounds access into reg2btf_ids. When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier reg type to the appropriate btf_vmlinux BTF ID, however commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL") moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after the base register types, and defined other variants using type flag composition. However, now, the direct usage of reg->type to index into reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to out of bounds access and kernel crash on dereference of bad pointer.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
11.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 2

VendorProductVersionRange
linuxlinux_kernel*≥5.15.15  –  <5.15.37
linuxlinux_kernel*≥5.16.1  –  <5.16.12

References 3

  • git.kernel.org https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/45ce4b4f9009102cd9f581196d480a59208690c1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8c39925e98d498b9531343066ef82ae39e41adae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f0ce1bc9e0235dd7412240be493d7ea65ed9eadc
    Patch