CVE-2022-45873 in systemd
Summary
by MITRE • 11/24/2022
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/25/2025
The vulnerability identified as CVE-2022-45873 represents a critical deadlock condition within systemd version 250 and 251 that stems from improper handling of core dump processing. This flaw exists in the parse_elf_object function located within shared/elf-util.c, where the system fails to properly manage recursive crash scenarios that generate excessively long backtraces. The vulnerability specifically targets the systemd-coredump service which is responsible for collecting and processing core dumps from crashed applications, creating a potential denial of service scenario that can effectively lock up the system's core dump handling capabilities.
The technical exploitation mechanism involves a carefully crafted approach that leverages the recursive nature of function calls within the ELF parsing process. An attacker must first create a binary that triggers a crash while calling the same function recursively, effectively creating a deep call stack that generates an exceptionally long backtrace. The attacker then places this malicious binary within a deeply nested directory structure to artificially inflate the backtrace length beyond the system's processing capabilities. This method exploits the underlying assumption that backtraces would remain within reasonable bounds during core dump processing.
The operational impact of this vulnerability becomes particularly severe when considering the default configuration of systemd-coredump.socket, which typically sets MaxConnections=16. This parameter controls the maximum number of concurrent connections the coredump socket can handle, making the system vulnerable to a specific number of exploitation attempts before the deadlock occurs. The attacker can execute this attack 16 times in succession, exhausting the connection limit and causing the systemd-coredump service to enter a deadlock state where it becomes unresponsive to further core dump processing requests. This creates a persistent denial of service condition that can significantly impact system stability and monitoring capabilities.
From a cybersecurity perspective, this vulnerability aligns with CWE-674, which addresses the issue of uncontrolled recursion leading to resource exhaustion, and represents a classic example of a resource exhaustion attack that targets system services rather than network protocols. The attack pattern follows elements of the ATT&CK framework's privilege escalation techniques, specifically targeting system-level services to achieve persistent denial of service conditions. The vulnerability demonstrates how seemingly benign system components like core dump handlers can become attack vectors when proper bounds checking and resource management are absent.
Mitigation strategies for this vulnerability require immediate system updates to patched versions of systemd where the recursive backtrace handling has been properly constrained and bounded. System administrators should also consider implementing additional monitoring around systemd-coredump service behavior to detect potential deadlock conditions before they occur. The recommended approach includes reducing the MaxConnections parameter in systemd-coredump.socket configuration to limit the potential impact of such attacks, while also ensuring that all system binaries are regularly updated to prevent exploitation through outdated software components. Organizations should also implement proper resource limits and process monitoring to detect abnormal behavior in core dump handling services, providing early warning mechanisms for potential exploitation attempts.