CVE-2022-49975 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf: Don't redirect packets with invalid pkt_len
Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
skbs, that is, the flow->head is null. The root cause, as the [2] says, is because that bpf_prog_test_run_skb()
run a bpf prog which redirects empty skbs. So we should determine whether the length of the packet modified by bpf prog or others like bpf_prog_test is valid before forwarding it directly.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability identified as CVE-2022-49975 represents a critical flaw in the Linux kernel's Berkeley Packet Filter (BPF) subsystem that could lead to system instability and potential denial of service conditions. This issue specifically affects the packet handling mechanisms within the kernel's networking stack where BPF programs interact with packet forwarding operations. The vulnerability was discovered through automated fuzzing by syzbot, which identified a scenario where the fq_codel_drop() function attempts to process flow drops without proper packet validation, creating a condition that could be exploited to cause kernel crashes or system hangs.
The technical root cause of this vulnerability lies in the improper handling of empty skbs (socket buffer structures) during BPF program execution. When bpf_prog_test_run_skb() executes BPF programs, it can redirect empty skbs that contain no actual packet data, leading to a null pointer dereference scenario. The flaw occurs because the kernel fails to validate packet length parameters before attempting to forward packets that may have been modified by BPF programs or during BPF testing operations. This validation gap allows malicious or malformed packet processing to bypass normal packet integrity checks, creating a path for kernel memory corruption.
The operational impact of this vulnerability extends beyond simple denial of service to potentially compromise system stability and availability. Attackers could exploit this weakness by crafting specific BPF programs or packet sequences that trigger the null flow handling condition, causing the kernel to crash or enter an inconsistent state. The vulnerability affects systems running Linux kernels with BPF capabilities, particularly those utilizing packet filtering, traffic control, or network monitoring features. According to CWE classification, this represents a CWE-476: NULL Pointer Dereference, while the ATT&CK framework would categorize this under T1499.004: Endpoint Denial of Service, as it targets the kernel's packet processing subsystem to disrupt network operations.
Mitigation strategies for CVE-2022-49975 focus on implementing proper packet length validation before packet forwarding operations. System administrators should prioritize applying the relevant kernel security patches that include the fix for this vulnerability, which typically involves adding checks to ensure pkt_len values are valid before processing redirected packets. The recommended approach includes verifying that packet buffers contain legitimate data before attempting forwarding operations, implementing defensive programming practices that prevent null pointer dereferences, and ensuring BPF programs are properly validated before execution. Additionally, monitoring systems should be configured to detect unusual packet processing patterns that might indicate exploitation attempts, while network administrators should consider implementing rate limiting and packet filtering rules to reduce the attack surface for such vulnerabilities.