CVE-2022-50855

Vulnerability

Overview

CVE-2022-50855 is a reference-count leak vulnerability in the Linux kernel's BPF subsystem, specifically in the bpf_prog_attach function for LSM (Linux Security Module) programs. When attaching an LSM program to a cgroup, the kernel validates that the program is intended for BPF_LSM_CGROUP. If this validation fails, the function returns an error early without decrementing the program's reference count via bpf_prog_put. This leaves the LSM program alive beyond its intended lifecycle, causing a memory leak [1].

Exploitation

An attacker with the ability to trigger a failed LSM program attach to a cgroup can exploit this bug. The attack requires local access and the ability to create and attach BPF programs, which typically requires CAP_BPF or root privileges. No special network position is needed. The failure condition is easily triggered by attempting to attach an LSM program not marked for cgroup attachment [1].

Impact

Successful exploitation leads to a gradual exhaustion of kernel memory as leaked LSM programs accumulate. This can result in a denial-of-service (DoS) condition, potentially crashing the system. The vulnerability does not provide code execution or privilege escalation, but it can degrade system stability and availability.

Mitigation

The fix

The fix, committed to the Linux kernel stable tree, ensures that bpf_prog_put is called even when the validation check fails, properly releasing the program's reference. Users should apply the patch from the stable kernel repository [1]. No workaround is available; updating the kernel is the only mitigation.