CVE-2022-49552 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix combination of jit blinding and pointers to bpf subprogs.
The combination of jit blinding and pointers to bpf subprogs causes: [ 36.989548] BUG: unable to handle page fault for address: 0000000100000001
[ 36.990342] #PF: supervisor instruction fetch in kernel mode
[ 36.990968] #PF: error_code(0x0010) - not-present page
[ 36.994859] RIP: 0010:0x100000001
[ 36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7.
[ 37.004091] Call Trace:
[ 37.004351]
[ 37.004576] ? bpf_loop+0x4d/0x70
[ 37.004932] ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b
The jit blinding logic didn't recognize that ld_imm64 with an address of bpf subprogram is a special instruction and proceeded to randomize it. By itself it wouldn't have been an issue, but jit_subprogs() logic relies on two step process to JIT all subprogs and then JIT them again when addresses of all subprogs are known. Blinding process in the first JIT phase caused second JIT to miss adjustment of special ld_imm64.
Fix this issue by ignoring special ld_imm64 instructions that don't have user controlled constants and shouldn't be blinded.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/23/2025
The vulnerability CVE-2022-49552 resides within the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically affecting the just-in-time compilation mechanism that optimizes bpf programs for execution. This flaw demonstrates a critical interaction between two kernel security features designed to protect against information disclosure and code manipulation attacks. The issue manifests when the kernel attempts to compile bpf programs that contain both jit blinding functionality and references to bpf subprograms, creating a scenario where memory access violations occur during program execution. The kernel's response to this condition generates a page fault error indicating an inability to handle instruction fetch at address 0x100000001, which represents an invalid memory location that should not be accessible during normal operation.
The technical root cause involves the improper handling of ld_imm64 instructions during the JIT compilation process, where these instructions are used to load 64-bit immediate values representing addresses of bpf subprograms. The jit blinding mechanism, which randomizes memory addresses to prevent attackers from determining program layout, fails to recognize that certain ld_imm64 instructions containing bpf subprogram addresses are special cases requiring preservation of their original values. This oversight occurs because the blinding logic treats all ld_imm64 instructions uniformly without distinguishing between user-controlled constants that should be randomized and programmatic addresses that must remain stable. The vulnerability particularly affects the two-phase JIT compilation process where subprograms are first compiled and then recompiled once all addresses are known, causing the second compilation phase to fail when attempting to adjust addresses that were already randomized during the first phase.
This vulnerability creates a significant operational impact by potentially allowing unauthorized users to trigger kernel crashes through carefully crafted bpf programs, effectively enabling a denial-of-service condition that could compromise system stability. The flaw represents a weakness in the kernel's memory management and security hardening mechanisms, as it demonstrates how overlapping security features can create unintended side effects that undermine system integrity. From an attacker's perspective, this vulnerability could be exploited to cause system instability, though the direct exploitation for privilege escalation or information disclosure remains limited due to the complex nature of the attack vector. The vulnerability aligns with CWE-122, which addresses buffer overflow conditions, and relates to ATT&CK technique T1059.006 for command and scripting interpreter, specifically in how it affects kernel-level program execution and memory management. The issue particularly impacts systems running kernel versions where the bpf subsystem is enabled and actively used, making it relevant to containerized environments, network security tools, and systems implementing kernel-based security monitoring solutions.
The fix implemented addresses the core problem by modifying the JIT blinding logic to specifically identify and exclude ld_imm64 instructions that reference bpf subprograms from the randomization process. This approach ensures that while user-controlled constants remain protected through blinding, programmatic addresses necessary for proper subprogram linking are preserved during compilation. The solution maintains the security benefits of JIT blinding while preventing the address corruption that leads to page fault exceptions. Organizations should prioritize applying the kernel patches that contain this fix, particularly those systems utilizing eBPF for network filtering, security monitoring, or performance analysis tasks. The mitigation strategy also involves monitoring for unusual bpf program loading activities and ensuring that only trusted code executes within environments where eBPF functionality is enabled, as the vulnerability's exploitation requires specific conditions related to program compilation rather than runtime execution.