CVE-2022-41973 in multipath-tools
Summary
by MITRE • 10/31/2022
multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/29/2025
The vulnerability identified as CVE-2022-41973 represents a critical local privilege escalation flaw within the multipath-tools package version 0.7.7 through 0.9.x before 0.9.2. This issue specifically targets the multipath daemon process known as multipathd which manages multiple paths to storage devices in Linux environments. The vulnerability arises from improper handling of symbolic links within the /dev/shm directory, creating a path traversal condition that allows malicious local users to manipulate file system permissions and execute arbitrary code with elevated privileges.
The technical implementation of this vulnerability stems from the multipathd daemon's inadequate validation of symbolic link references within the shared memory filesystem. When local users have access to /dev/shm, they can manipulate symbolic links that the daemon subsequently processes without proper sanitization. This incorrect symlink handling creates a condition where the daemon performs file operations that are directed to locations outside the intended /dev/shm directory structure. The flaw operates as a classic path traversal attack where symbolic link manipulation bypasses normal file system access controls, enabling attackers to write to arbitrary locations on the file system.
The operational impact of this vulnerability extends beyond simple privilege escalation as it creates a persistent backdoor mechanism within storage management systems. Attackers exploiting this vulnerability can gain root access to systems running affected multipath-tools versions, potentially compromising entire storage infrastructures. The attack vector becomes particularly dangerous when combined with CVE-2022-41974, as the exploitation chain allows for more sophisticated privilege escalation techniques. Systems utilizing multipath storage configurations are at heightened risk, particularly in enterprise environments where storage management tools are critical components of infrastructure reliability.
Security professionals should recognize this vulnerability as a direct violation of the principle of least privilege and proper input validation as outlined in CWE-22 Path Traversal and CWE-787 Out-of-bounds Write. The attack pattern aligns with techniques documented in the MITRE ATT&CK framework under privilege escalation tactics, specifically targeting the use of local tools and system services for unauthorized access. Organizations should immediately apply patches to multipath-tools versions 0.9.2 and later, while implementing monitoring for suspicious symbolic link modifications in /dev/shm and other shared memory locations. System administrators should also consider implementing additional access controls and file integrity monitoring to detect unauthorized modifications to multipath daemon configurations and related system files.
The exploitation of this vulnerability demonstrates the critical importance of proper file system permission handling in daemon processes and highlights the risks associated with insufficient sandboxing of system services. The vulnerability underscores the need for comprehensive security testing of system management tools and the implementation of robust input validation mechanisms to prevent path traversal attacks. Organizations should conduct thorough vulnerability assessments of their storage management infrastructure and implement layered security controls to protect against similar attacks targeting system services and daemon processes.