CVE-2022-49698 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
netfilter: use get_random_u32 instead of prandom
bh might occur while updating per-cpu rnd_state from user context, ie. local_out path.
BUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725
caller is nft_ng_random_eval+0x24/0x54 [nft_numgen]
Call Trace: check_preemption_disabled+0xde/0xe0 nft_ng_random_eval+0x24/0x54 [nft_numgen]
Use the random driver instead, this also avoids need for local prandom state. Moreover, prandom now uses the random driver since d4150779e60f ("random32: use real rng for non-deterministic randomness").
Based on earlier patch from Pablo Neira.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/24/2025
The vulnerability described in CVE-2022-49698 resides within the Linux kernel's netfilter subsystem, specifically affecting the nft_numgen module responsible for numeric generation in nftables rules. This issue manifests as a potential race condition and improper random number generation mechanism that could compromise system security and stability. The vulnerability occurs when updating per-cpu random state from user context, particularly through the local_out path, creating a scenario where kernel preemption could be improperly handled during random number generation operations.
The technical flaw stems from the inappropriate use of prandom functions within preemptible kernel code contexts, specifically when smp_processor_id() is called in a context that allows preemption. The kernel's nft_ng_random_eval function demonstrates this problematic behavior by attempting to access per-cpu random state information while running in a preemptible context, leading to potential deadlocks or data corruption. The error message indicates a BUG where nginx process triggers this issue with thread ID 2725, calling nft_ng_random_eval function, which then invokes check_preemption_disabled, revealing the core problem with preemption handling in this kernel subsystem.
This vulnerability directly relates to CWE-362, which describes a race condition that allows concurrent access to shared resources without proper synchronization, and CWE-367, addressing time-of-check to time-of-use flaws that can lead to security vulnerabilities. The operational impact of this vulnerability extends beyond simple stability issues to potential security implications, as improper random number generation can weaken cryptographic operations and make systems more susceptible to attacks that rely on predictable entropy. The use of prandom in this context also violates the principle of using appropriate random number generation mechanisms for kernel space operations, particularly when dealing with network filtering and packet processing.
The resolution addresses this by transitioning from prandom to get_random_u32, which leverages the kernel's actual random number driver instead of maintaining local prandom state. This change eliminates the need for per-cpu random state management and prevents the preemption issues that occurred when updating random state from user context. The fix aligns with the broader kernel trend of moving towards using the real random number generator as referenced in commit d4150779e60f, which standardized random32 to use real RNG for non-deterministic randomness. This approach ensures that all kernel random number generation operations use the proper kernel infrastructure that handles preemption correctly and maintains security properties. The mitigation strategy also addresses ATT&CK technique T1059.003, which involves the use of system services and kernel modules, as the fix ensures that kernel subsystems properly handle concurrent access patterns and maintain predictable behavior.
The fix represents a significant improvement in kernel security and stability by ensuring that random number generation in network filtering contexts operates correctly under all execution conditions. This change prevents potential exploitation scenarios where attackers might attempt to predict or manipulate random number sequences used in network filtering operations, thereby maintaining the integrity of network security policies. The implementation also reduces complexity by eliminating the need for maintaining local prandom state across multiple CPUs, which simplifies the kernel's random number generation subsystem and reduces potential failure points in the system's security infrastructure.