CVE-2022-49548

26.02.2025, 07:01

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix potential array overflow in bpf_trampoline_get_progs()

The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not
include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of
the attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline
can exceed BPF_MAX_TRAMP_PROGS.

When this happens, the assignment '*progs++ = aux->prog' in
bpf_trampoline_get_progs() will cause progs array overflow as the
progs field in the bpf_tramp_progs struct can only hold at most
BPF_MAX_TRAMP_PROGS bpf programs.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Linux	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Vendor	Product	Version
linux	linux_kernel	5.7 ≤ 𝑥 < 5.10.120
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.45
linux	linux_kernel	5.16 ≤ 𝑥 < 5.17.13
linux	linux_kernel	5.18 ≤ 𝑥 < 5.18.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
bookworm	6.1.123-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	6.12.12-1 fixed
sid	6.12.16-1 fixed

Common Weakness Enumeration

CWE-129 - Improper Validation of Array Index
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

References

https://git.kernel.org/stable/c/32c4559c61652f24c9fdd5440342196fe37453bc

https://git.kernel.org/stable/c/4f8897bcc20b9ae44758e0572538d741ab66f0dc

https://git.kernel.org/stable/c/7f845de2863334bed4f362e95853f5e7bc323737

https://git.kernel.org/stable/c/a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d

https://git.kernel.org/stable/c/e36452d5da6325df7c10cffc60a9e68d21e2606d