CVE-2022-49006 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
tracing: Free buffers when a used dynamic event is removed
After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob.
The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used.
To show how this can be an issue, the following can crash the kernel:
# cd /sys/kernel/tracing # for i in `seq 65536`; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done
For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same.
Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function call's first parameter as an integer.
# echo 1 > kprobes/foo/enable # cat /etc/passwd > /dev/null # cat trace cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
# echo 0 > kprobes/foo/enable
Now if we delete the kprobe and create a new one that reads a string:
# echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events
And now we can the trace:
# cat trace sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="????????????????????????????????????????????????????????????????????????????????????????????????"
cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="????????????????????????????????????????????????????????????????????????????????????????????????"
cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="????????????????????????????????????????????????????????????????????????????????????????????????"
cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="???????????????????????????????????????
---truncated---
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability described in CVE-2022-49006 resides within the Linux kernel's tracing subsystem, specifically in how dynamic events are managed and their associated type numbers are reused. This flaw represents a classic case of resource management error where the kernel fails to properly clean up memory buffers when dynamic events are removed, leading to potential type number conflicts that can result in kernel crashes or arbitrary code execution. The issue is categorized under CWE-129 as an insufficient input validation, and more specifically relates to CWE-787 which deals with out-of-bounds write conditions. The vulnerability manifests when the kernel's tracing infrastructure reaches its 16-bit type number limit of 65535, after which it begins reusing type numbers from the available pool. This reuse mechanism creates a scenario where previously allocated type numbers can be reassigned to new dynamic events, even when old events are still present in the tracing ring buffer.
The technical flaw occurs in the event type management system where each dynamic event is assigned a unique type number that serves as an identifier for binary blobs in the tracing ring buffer. When a dynamic event is removed, its type number should be properly freed and marked as available for reuse, but the kernel fails to ensure that all references to the old event's binary data structure are properly cleaned up before the type number is reassigned. This creates a scenario where a new event with the same type number will attempt to parse binary data using the parsing logic of the old event, which can lead to incorrect interpretation of data fields. The issue is particularly dangerous because it allows for a type confusion attack where a kprobe event designed to read a 32-bit integer parameter gets reused to parse string data, causing the kernel to interpret integer values as character sequences. This misinterpretation can lead to buffer overflows, memory corruption, and ultimately kernel crashes or privilege escalation.
The operational impact of this vulnerability is significant as it can be exploited to cause system instability through kernel crashes or potentially achieve privilege escalation if attackers can craft malicious tracing events that leverage the type number reuse mechanism. The attack vector requires a specific sequence of dynamic event creation and deletion, but once the 65536 threshold is reached, the vulnerability becomes exploitable. The vulnerability aligns with ATT&CK technique T1059.006 for command and scripting interpreter, as it can be triggered through kernel tracing interfaces that allow command execution. It also maps to T1566 for malicious code injection, as the type confusion can lead to code execution. The vulnerability affects systems running Linux kernel versions where the tracing subsystem has not been patched, particularly impacting enterprise servers, cloud environments, and embedded systems that rely heavily on kernel tracing for monitoring and debugging purposes.
Mitigation strategies should focus on immediate patch application to address the core issue in the kernel's event type management system. System administrators should also implement monitoring of dynamic event creation patterns to detect potential exploitation attempts, particularly around the 65536 event threshold. The recommended approach includes disabling unnecessary tracing capabilities when not actively debugging, implementing proper resource cleanup procedures for dynamic events, and applying kernel hardening patches that prevent type number reuse during active tracing sessions. Additionally, organizations should consider implementing runtime protections such as kernel address space layout randomization and control flow integrity mechanisms to reduce the impact of potential exploitation attempts. The vulnerability demonstrates the importance of proper resource management in kernel subsystems and highlights the need for comprehensive testing of resource reuse mechanisms in high-frequency operation environments.