CVE-2022-49622

CVE-2022-49622 is a use-after-free vulnerability in the Linux kernel's netfilter nf_tables subsystem. It occurs when packet tracing is enabled and a socket buffer (skb) receives an NF_STOLEN verdict, which may free the skb. Subsequent operations attempt to access skb->nf_trace, skb->mark, compute a trace ID, and dump packet payload on the freed memory, classified under CWE-416 with a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering nf_tables tracing on packets that result in an NF_STOLEN verdict. Successful exploitation leads to high-impact confidentiality, integrity, and availability consequences through arbitrary memory access and potential code execution or denial of service.

The provided patch references detail mitigations applied in Linux kernel stable releases. These include caching a copy of skb->nf_trace in the trace state structure and refreshing it only when the verdict is not NF_STOLEN, skipping skb->mark access if the verdict is NF_STOLEN, precomputing the trace ID to avoid dependent accesses, and restricting packet payload dumps to cases where the verdict is not NF_STOLEN. The fixes are available in kernel commits at https://git.kernel.org/stable/c/0016d5d46d7440729a3132f61a8da3bf7f84e2ba and https://git.kernel.org/stable/c/e34b9ed96ce3b06c79bf884009b16961ca478f87.