CVE-2022-3586 in Linux
Summary
by MITRE • 10/19/2022
A flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/18/2025
The vulnerability identified as CVE-2022-3586 represents a critical use-after-free condition within the Linux kernel's networking subsystem that specifically affects the sch_sfb qdisc implementation. This flaw exists in the traffic control framework where the kernel manages network packet queuing and scheduling. The issue manifests when the sch_sfb enqueue function attempts to access the socket buffer control block (cb field) of a packet buffer after that same buffer has already been enqueued and subsequently freed by a child qdisc implementation. The root cause lies in the improper handling of reference counting and memory lifecycle management within the kernel's traffic control code path, creating a scenario where freed memory is accessed, leading to undefined behavior and system instability.
This vulnerability operates at the kernel level within the networking stack and directly impacts the Linux kernel's traffic control subsystem, specifically the sfb (Stochastic Fairness Bandwidth) queuing discipline. The flaw is classified as a use-after-free condition under CWE-416, which occurs when a program accesses memory after it has been freed, leading to potential system crashes and denial of service conditions. The vulnerability affects systems running Linux kernel versions where the sch_sfb qdisc implementation lacks proper memory management safeguards. The attack vector requires local, unprivileged user access, making it particularly concerning as it can be exploited by any user account without requiring administrative privileges or special permissions. The exploitation mechanism relies on the attacker's ability to manipulate network traffic through the qdisc subsystem, triggering the specific code path that leads to the memory access violation.
The operational impact of CVE-2022-3586 extends beyond simple system crashes to potentially compromise the entire network stack functionality of affected systems. When exploited, the vulnerability causes immediate system instability and can lead to complete system hangs or reboots, resulting in significant denial of service conditions that can affect critical infrastructure. The vulnerability affects systems where the sfb qdisc is actively used for network traffic management, which includes various enterprise and server environments that implement advanced traffic control policies. Organizations running Linux systems with network traffic control configurations that utilize the sch_sfb queuing discipline are at risk, particularly those with high network throughput requirements or systems where network reliability is paramount. The vulnerability's impact is amplified in environments where network traffic management is heavily utilized, as the exploitation can occur through normal network operations rather than requiring specialized attack conditions.
Mitigation strategies for CVE-2022-3586 primarily focus on kernel updates and system hardening measures. The most effective approach involves applying the latest kernel patches that address the specific memory management issue within the sch_sfb qdisc implementation. System administrators should prioritize updating their Linux distributions to versions that contain the fix for this vulnerability, typically released by major distributions within days of the vulnerability disclosure. Additionally, organizations can implement network traffic control policy changes that avoid using the affected qdisc implementation, though this may require significant reconfiguration of existing network management systems. The vulnerability does not require special privileges for exploitation, so any user account on the system can potentially trigger it, making it crucial to maintain up-to-date kernel versions across all systems. Network administrators should also consider implementing monitoring solutions to detect potential exploitation attempts and establish incident response procedures specifically targeting kernel-level denial of service attacks. The ATT&CK framework categorizes this vulnerability under T1499.004 - Endpoint Denial of Service, as it specifically targets system stability through kernel-level memory corruption, and organizations should include this in their threat modeling and vulnerability management processes to prevent successful exploitation attempts.