CVE-2022-49875 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
bpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK} without FILE
When using bpftool to pin {PROG, MAP, LINK} without FILE,
segmentation fault will occur. The reson is that the lack of FILE will cause strlen to trigger NULL pointer dereference. The corresponding stacktrace is shown below:
do_pin do_pin_any do_pin_fd mount_bpffs_for_pin strlen(name) <- NULL pointer dereference
Fix it by adding validation to the common process.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/15/2025
The vulnerability identified as CVE-2022-49875 represents a critical NULL pointer dereference flaw within the Linux kernel's bpftool utility, specifically affecting the BPF (Berkeley Packet Filter) subsystem. This issue manifests when users attempt to pin BPF program, map, or link objects without providing a file argument, creating a scenario where the system attempts to invoke strlen() on a null pointer. The flaw exists in the kernel's BPF file system mounting process, where the bpftool utility fails to properly validate input parameters before proceeding with operations that require valid string arguments. The vulnerability directly impacts the kernel's ability to handle BPF object pinning operations safely, potentially leading to system instability or denial of service conditions.
The technical execution of this vulnerability occurs through a well-defined call stack that begins with the do_pin function and progresses through do_pin_any, then do_pin_fd, followed by mount_bpffs_for_pin, and ultimately reaches the strlen(name) operation where the NULL pointer dereference occurs. This sequence demonstrates how the absence of proper input validation in the common processing pipeline allows malformed arguments to propagate through multiple layers of the BPF subsystem. The flaw specifically targets the kernel's handling of BPF object pinning operations, where the system expects valid file paths but receives null or invalid references, causing the kernel to attempt string length calculations on uninitialized memory locations.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling attackers to exploit the NULL pointer dereference for privilege escalation or system compromise. When the segmentation fault occurs during the BPF pinning process, it can result in kernel panics or forced system reboots, effectively creating a denial of service condition that impacts network security monitoring and packet filtering capabilities. This vulnerability particularly affects systems relying heavily on BPF-based security tools such as those implementing eBPF programs for network traffic analysis, security policy enforcement, or system monitoring. The flaw demonstrates a fundamental lack of input validation in kernel-space code that should have been caught during development and testing phases, highlighting the importance of robust error handling in security-critical subsystems.
The fix for CVE-2022-49875 involves implementing proper validation checks within the common processing pipeline of bpftool, specifically addressing the missing FILE argument validation that leads to the NULL pointer dereference. This remediation aligns with the principles of secure coding practices and follows the CWE-476 principle of NULL pointer dereference prevention. The solution requires adding input validation logic before any string operations are performed, ensuring that all arguments are properly checked for null values before being passed to functions like strlen(). This approach directly addresses the ATT&CK technique T1059.003 for executing malicious code through kernel-level vulnerabilities and prevents the exploitation of input validation gaps that could otherwise be leveraged for privilege escalation or system compromise. The fix represents a defensive programming approach that validates all inputs before processing, preventing the propagation of invalid data through the system's BPF object pinning mechanism.