CVE-2022-49086

MEDIUM EPSS 16.4%
Published Feb 26, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 26, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix leak of nested actions While parsing user-provided actions, openvswitch module may dynamically allocate memory and store pointers in the internal copy of the actions. So this memory has to be freed while destroying the actions. Currently there are only two such actions: ct() and set(). However, there are many actions that can hold nested lists of actions and ovs_nla_free_flow_actions() just jumps over them leaking the memory. For example, removal of the flow with the following actions will lead to a leak of the memory allocated by nf_ct_tmpl_alloc(): actions:clone(ct(commit),0) Non-freed set() action may also leak the 'dst' structure for the tunnel info including device references. Under certain conditions with a high rate of flow rotation that may cause significant memory leak problem (2MB per second in reporter's case). The problem is also hard to mitigate, because the user doesn't have direct control over the datapath flows generated by OVS. Fix that by iterating over all the nested actions and freeing everything that needs to be freed recursively. New build time assertion should protect us from this problem if new actions will be added in the future. Unfortunately, openvswitch module doesn't use NLA_F_NESTED, so all attributes has to be explicitly checked. sample() and clone() actions are mixing extra attributes into the user-provided action list. That prevents some code generalization too.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
16.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-401

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥4.3  –  <4.19.249
linuxlinux_kernel*≥4.20  –  <5.4.200
linuxlinux_kernel*≥5.5  –  <5.10.111
linuxlinux_kernel*≥5.11  –  <5.15.34
linuxlinux_kernel*≥5.16  –  <5.16.20
linuxlinux_kernel*≥5.17  –  <5.17.3
linuxlinux_kernel5.18any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/1f30fb9166d4f15a1aa19449b9da871fe0ed4796
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3554c214b83ec9a839ed574263a34218f372990c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/53bce9d19b0a9d245b25cd050b81652ed974a509
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5ae05b5eb58773cfec307ff88aff4cfd843c4cff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7438dc55c0709819b813f4778aec2c48b782990b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/837b96d8103938e35e7d92cd9db96af914ca4fff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef6f9ce0a79aa23b10fc5f3b3cab3814a25aac40
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1f30fb9166d4f15a1aa19449b9da871fe0ed4796
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3554c214b83ec9a839ed574263a34218f372990c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/53bce9d19b0a9d245b25cd050b81652ed974a509
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5ae05b5eb58773cfec307ff88aff4cfd843c4cff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7438dc55c0709819b813f4778aec2c48b782990b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/837b96d8103938e35e7d92cd9db96af914ca4fff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef6f9ce0a79aa23b10fc5f3b3cab3814a25aac40
    Patch