CVE-2022-49014 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
net: tun: Fix use-after-free in tun_detach()
syzbot reported use-after-free in tun_detach() [1]. This causes call
trace like below:
================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673
CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
call_netdevice_notifiers net/core/dev.c:1997 [inline]
netdev_wait_allrefs_any net/core/dev.c:10237 [inline]
netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline]
tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd
The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net.
This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability CVE-2022-49014 represents a critical use-after-free condition within the Linux kernel's TUN (Tunnel) network driver implementation. This flaw manifests specifically in the tun_detach() function where improper ordering of operations leads to memory access violations. The issue was identified through automated fuzzing by syzbot, which detected a kernel address sanitizer (KASAN) report indicating a use-after-free error during notifier call chain execution. The vulnerability occurs when the kernel attempts to access a network device structure after it has already been freed, creating a potential security risk that could be exploited by malicious actors.
The technical root cause of this vulnerability lies in the improper sequence of operations within the TUN driver's detachment logic. During the tun_detach() process, the function calls sock_put() which reduces the reference count for a net structure to zero, effectively freeing the memory. However, subsequent operations in the call chain, particularly notifier_call_chain() invoked through netdev_state_change(), attempt to access the now-freed net structure. This creates a classic use-after-free scenario where memory that has been deallocated is still being referenced, leading to unpredictable behavior and potential system crashes. The vulnerability is particularly concerning as it occurs during normal network device cleanup operations, making it difficult to detect and exploit in controlled environments.
The operational impact of this vulnerability extends beyond simple system instability to potential security compromise. When the kernel experiences a use-after-free condition, it can result in memory corruption that may allow attackers to execute arbitrary code with kernel privileges. The vulnerability affects systems running Linux kernel versions where the TUN network driver is utilized, particularly in virtualized environments, containerized applications, and network security tools that rely on TUN interfaces for network traffic manipulation. The specific call trace shows this issue occurs during network device cleanup operations, which means it could be triggered through normal network interface management activities, making it particularly dangerous in production environments where network operations are frequent.
This vulnerability maps directly to CWE-416, which defines use-after-free conditions as a well-known software weakness pattern. The ATT&CK framework categorizes this under T1059.007 for system services and T1068 for exploitation of privilege escalation opportunities. The flaw demonstrates poor memory management practices in kernel space where resource deallocation occurs before all references to the resource are resolved. The patch implemented addresses the issue by reordering the operations within tun_detach() to ensure that all necessary accesses to the net structure occur before sock_put() is called, thereby preventing the premature deallocation that leads to the use-after-free condition. This fix aligns with secure coding practices that emphasize proper resource lifecycle management and adherence to memory safety principles in kernel development. The resolution demonstrates the importance of careful synchronization in kernel-level programming where the timing of resource deallocation can directly impact system stability and security.