CVE-2022-49837 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix memory leaks in __check_func_call

kmemleak reports this issue:

unreferenced object 0xffff88817139d000 (size 2048): comm "test_progs", pid 33246, jiffies 4307381979 (age 45851.820s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc_trace+0x27/0xa0
[] __check_func_call+0x316/0x1230
[] check_helper_call+0x172e/0x4700
[] do_check+0x21d8/0x45e0
[] do_check_common+0x767/0xaf0
[] bpf_check+0x43e3/0x5bc0
[] bpf_prog_load+0xf26/0x1940
[] __sys_bpf+0xd2c/0x3650
[] __x64_sys_bpf+0x75/0xc0
[] do_syscall_64+0x3b/0x90
[] entry_SYSCALL_64_after_hwframe+0x63/0xcd

The root case here is: In function prepare_func_exit(), the callee is not released in the abnormal scenario after "state->curframe--;". To fix, move "state->curframe--;" to the very bottom of the function, right when we free callee and reset frame[] pointer to NULL, as Andrii
suggested.

In addition, function __check_func_call() has a similar problem. In the abnormal scenario before "state->curframe++;", the callee also should be released by free_func_state().

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 03/14/2026

The vulnerability identified as CVE-2022-49837 represents a critical memory leak issue within the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem. This flaw specifically affects the BPF verifier component responsible for validating BPF programs before execution, making it a significant concern for system security and stability. The memory leak occurs during the function call checking process within the BPF verifier, where allocated memory structures are not properly released in error scenarios. This issue was detected through kmemleak analysis, which identified unreferenced memory objects that remained allocated for extended periods, indicating a resource management failure in the kernel's BPF implementation.

The technical root cause of this vulnerability lies in improper memory management within the __check_func_call function of the BPF verifier. During abnormal execution paths, particularly when function calls fail or encounter errors, the callee structures are not being properly released from memory. The flaw manifests when the prepare_func_exit function processes function call cleanup, where the state->curframe-- operation occurs prematurely before the callee resources are freed. This ordering issue creates a scenario where allocated memory remains unreferenced and uncollectable by the kernel's memory management subsystem. The vulnerability is classified under CWE-401 as a failure to release memory after use, specifically within kernel-space memory management operations.

The operational impact of this vulnerability extends beyond simple memory consumption issues, as it can lead to progressive system resource exhaustion over time. When BPF programs are loaded and executed repeatedly, each failed function call iteration leaves behind unreleased memory segments that accumulate and eventually impact system performance. The memory leak affects the kernel's ability to efficiently manage resources, potentially causing system instability or denial of service conditions. This vulnerability is particularly concerning in environments where BPF programs are frequently loaded and executed, such as network monitoring systems, security tools, or containerized environments that rely heavily on eBPF functionality. The issue demonstrates how memory management flaws in kernel components can have cascading effects on overall system reliability and security posture.

The fix for CVE-2022-49837 implements a precise reordering of memory management operations within the BPF verifier's function call handling. The solution involves moving the state->curframe-- operation to occur only after all callee resources have been properly released and the frame pointer has been reset to NULL. This approach ensures that in both normal and error execution paths, memory allocated for function call states is consistently freed before the frame pointer is adjusted. Additionally, the fix addresses a similar issue in the __check_func_call function by ensuring that free_func_state() is called appropriately before state->curframe++ operations in error scenarios. The mitigation aligns with established kernel security practices and follows the ATT&CK framework's approach to addressing memory corruption vulnerabilities, specifically targeting the execution of system-level code that can be exploited through kernel memory management flaws. This fix demonstrates the importance of proper resource cleanup ordering in kernel-space code and reinforces the need for comprehensive testing of error paths in security-critical subsystems.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00164

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!