CVE-2022-49967 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a data-race around bpf_jit_limit.
While reading bpf_jit_limit, it can be changed concurrently via sysctl, WRITE_ONCE() in __do_proc_doulongvec_minmax(). The size of bpf_jit_limit is long, so we need to add a paired READ_ONCE() to avoid load-tearing.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability CVE-2022-49967 addresses a critical data race condition within the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically concerning the bpf_jit_limit parameter. This issue manifests in the kernel's handling of Just-In-Time compilation limits for eBPF programs, which are essential for performance optimization in network packet processing and system monitoring. The flaw exists in the interaction between kernel memory management and system control interfaces, creating a potential pathway for inconsistent data states during concurrent access scenarios.
The technical root cause stems from improper synchronization mechanisms when accessing the bpf_jit_limit variable, which controls the maximum memory allocation allowed for JIT compilation of eBPF programs. When the system reads this value through proc filesystem interfaces, concurrent modifications via sysctl commands can occur simultaneously, leading to partial or inconsistent reads due to the variable being a long integer type. This creates a classic race condition where the READ_ONCE() mechanism is insufficient to prevent load-tearing issues, particularly on architectures where long reads are not atomic operations. The vulnerability specifically affects the __do_proc_doulongvec_minmax() function which handles sysctl operations for double long vectors, failing to provide proper memory ordering guarantees for the bpf_jit_limit parameter.
The operational impact of this vulnerability extends beyond simple data inconsistency, potentially enabling attackers to manipulate JIT compilation limits in ways that could lead to resource exhaustion, denial of service conditions, or even privilege escalation scenarios within the kernel. Since eBPF is extensively used in security monitoring, network filtering, and performance analysis tools, an attacker could exploit this race condition to disrupt critical system functions or create persistent backdoors through malformed eBPF program loading. The vulnerability affects systems running Linux kernel versions where the eBPF subsystem is active and where sysctl interfaces are accessible, particularly impacting containerized environments and security frameworks that rely heavily on eBPF functionality.
Mitigation strategies should focus on implementing proper memory barriers and atomic operations when accessing the bpf_jit_limit variable, ensuring that all reads and writes maintain consistency through appropriate kernel synchronization primitives. The fix involves adding READ_ONCE() paired with WRITE_ONCE() operations to guarantee that concurrent access patterns do not result in partial reads or inconsistent data states. System administrators should prioritize kernel updates to versions containing the patched implementation, which resolves the race condition by ensuring proper memory ordering semantics. Organizations should also monitor for potential exploitation attempts through unusual sysctl operations or eBPF program loading patterns, as these could indicate active exploitation attempts targeting this specific vulnerability. The fix aligns with common security practices for concurrent programming and memory management, following established patterns for preventing data races in kernel space operations, and addresses the underlying CWE-362 weakness related to concurrent access to shared resources without proper synchronization mechanisms.