CVE-2022-28356 in Linux
Summary
by MITRE • 04/03/2022
In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/05/2025
The vulnerability identified as CVE-2022-28356 represents a critical reference count leak flaw within the Linux kernel's LLC (Logical Link Control) subsystem. This issue affects kernel versions prior to 5.17.1 and specifically manifests in the net/llc/af_llc.c file, which handles LLC protocol implementation. The vulnerability stems from improper handling of reference counters during LLC socket operations, creating a condition where kernel memory resources fail to be properly released when connections are terminated or cleaned up. This type of bug falls under the category of resource management errors that can lead to system instability and potential denial of service conditions.
The technical implementation of this vulnerability involves the LLC protocol's socket reference counting mechanism where the kernel fails to decrement reference counts appropriately when LLC sockets are closed or destroyed. This occurs during the normal operation of LLC protocol connections, particularly when handling socket cleanup operations in the LLC address family implementation. The reference count leak means that kernel objects remain allocated in memory even after they should have been freed, leading to gradual memory consumption that can eventually exhaust available kernel memory resources. This flaw is classified as a CWE-404: Improper Resource Shutdown or Release, which is a common pattern in kernel-level memory management bugs.
The operational impact of CVE-2022-28356 extends beyond simple memory consumption issues to potentially compromise system stability and availability. When exploited, this vulnerability can cause sustained memory leaks that gradually degrade system performance until the kernel exhausts available memory resources. In environments running Linux kernel versions before 5.17.1, this could lead to system crashes, unexpected reboots, or complete denial of service for network services that rely on LLC protocol functionality. The vulnerability is particularly concerning in server environments where continuous network operations are performed, as the memory leak accumulates over time and can be difficult to detect until significant system degradation occurs. Attackers could potentially exploit this weakness to perform resource exhaustion attacks against systems running vulnerable kernel versions.
Mitigation strategies for this vulnerability primarily focus on kernel version upgrades to 5.17.1 or later, which contain the necessary patches to address the reference count leak in the LLC subsystem. System administrators should prioritize updating their kernel versions as soon as possible, particularly in production environments where LLC protocol usage is common. Additionally, monitoring systems should be implemented to track memory usage patterns and detect potential resource exhaustion conditions that may indicate exploitation of this vulnerability. The patch for this issue follows standard kernel security practices by properly implementing reference counting semantics in the LLC socket cleanup routines, ensuring that all allocated resources are correctly released when sockets are closed. Organizations should also consider implementing network segmentation and access controls to limit exposure to potential exploitation attempts, while maintaining regular security assessments to identify other potential vulnerabilities in their kernel implementations. This vulnerability aligns with ATT&CK technique T1499.001: Endpoint Denial of Service, as it can lead to system resource exhaustion and availability disruption.