CVE-2022-49878 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

bpf, verifier: Fix memory leak in array reallocation for stack state

If an error (NULL) is returned by krealloc(), callers of realloc_array() were setting their allocation pointers to NULL, but on error krealloc() does not touch the original allocation. This would result in a memory resource leak. Instead, free the old allocation on the error handling path.

The memory leak information is as follows as also reported by Zhengchao:

unreferenced object 0xffff888019801800 (size 256): comm "bpf_repo", pid 6490, jiffies 4294959200 (age 17.170s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] __kmalloc_node_track_caller+0x45/0xc0
[] krealloc+0x83/0xd0
[] realloc_array+0x82/0xe2
[] grow_stack_state+0xfb/0x186
[] check_mem_access.cold+0x141/0x1341
[] do_check_common+0x5358/0xb350
[] bpf_check.cold+0xc3/0x29d
[] bpf_prog_load+0x13db/0x2240
[] __sys_bpf+0x1605/0x4ce0
[] __x64_sys_bpf+0x75/0xb0
[] do_syscall_64+0x35/0x80
[] entry_SYSCALL_64_after_hwframe+0x63/0xcd

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/14/2026

The vulnerability CVE-2022-49878 represents a memory leak within the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically affecting the verifier component responsible for validating BPF programs before execution. This flaw exists in the array reallocation logic for stack state management, where improper error handling leads to resource exhaustion over time. The issue manifests when the krealloc() function returns NULL to indicate allocation failure, but the calling code fails to properly release the previously allocated memory, creating a persistent memory leak that can accumulate during repeated BPF program loading operations. The vulnerability impacts systems utilizing eBPF functionality extensively, particularly those running applications that frequently load and unload BPF programs such as network monitoring tools, security frameworks, and system observability platforms.

The technical root cause lies in the improper handling of memory allocation failures within the realloc_array() function call chain, specifically in the grow_stack_state() function which manages stack state expansion during BPF program verification. When krealloc() fails and returns NULL, the kernel's error handling path does not free the original allocation, leaving the memory inaccessible but unreclaimed by the system's memory manager. This pattern violates standard memory management practices and creates a resource leak that grows with each failed allocation attempt. The backtrace clearly demonstrates the execution path leading to the leak, showing the call sequence from the BPF program loading interface through the verifier's memory management functions to the final krealloc() failure point. This vulnerability is categorized under CWE-401: Improper Release of Memory Before Removing Last Reference, which specifically addresses memory management errors where resources are not properly deallocated even when operations fail.

The operational impact of this memory leak can be significant in high-throughput environments where BPF programs are frequently loaded and executed. Over time, the accumulation of unreferenced memory blocks can lead to progressive memory consumption, potentially causing system performance degradation, memory exhaustion, and in extreme cases, system instability or denial of service conditions. The leak affects the bpf_repo process identified in the memory dump, which is responsible for managing BPF program repositories and verification operations. Attackers could potentially exploit this vulnerability by repeatedly loading BPF programs to trigger the memory leak, leading to resource exhaustion and system instability. This vulnerability aligns with ATT&CK technique T1059.006 for execution through system services, as it could be leveraged to create persistent resource exhaustion conditions that affect system availability. The memory leak also represents a potential vector for privilege escalation attacks, as sustained memory exhaustion could allow malicious actors to disrupt system operations and potentially gain elevated privileges through resource manipulation.

Mitigation strategies for CVE-2022-49878 focus on ensuring proper memory management practices within the kernel's BPF verifier implementation. The fix implemented in the kernel patch addresses the root cause by ensuring that when realloc_array() encounters a failure, the original allocation is properly freed before returning to the error handling path. This approach aligns with best practices for memory management in kernel space, where all allocated resources must be accounted for and properly released regardless of allocation success or failure. System administrators should apply the relevant kernel updates immediately, particularly on systems running eBPF-dependent applications such as those using Falco, Prometheus node exporters, or other monitoring solutions that rely on BPF for performance data collection. Additionally, monitoring systems should be configured to detect unusual memory consumption patterns that might indicate the presence of memory leaks, and regular security audits should include verification of kernel patch levels and eBPF program loading patterns to prevent exploitation of this vulnerability. The fix also reinforces the principle of defensive programming in kernel space, where error paths must be carefully considered and properly handled to prevent resource leaks that could compromise system stability and security.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00164

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!