CVE-2022-50855 in Linux
Summary
by MITRE • 12/30/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf: prevent leak of lsm program after failed attach
In [0], we added the ability to bpf_prog_attach LSM programs to cgroups,
but in our validation to make sure the prog is meant to be attached to BPF_LSM_CGROUP, we return too early if the check fails. This results in lack of decrementing prog's refcnt (through bpf_prog_put) leaving the LSM program alive past the point of the expected lifecycle. This fix allows for the decrement to take place.
[0] https://lore.kernel.org/all/[email protected]/
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/26/2026
The vulnerability CVE-2022-50855 represents a critical memory management flaw within the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically affecting the handling of LSM (Linux Security Modules) program attachments to cgroups. This issue arises from improper reference counting mechanisms during the BPF program attachment process, creating a potential memory leak that could persist beyond the expected program lifecycle. The vulnerability stems from a validation check that prematurely exits the attachment process when an LSM program fails validation for BPF_LSM_CGROUP attachment, without properly decrementing the program's reference count.
The technical flaw manifests in the BPF subsystem's program attachment logic where the kernel fails to properly manage reference counts for LSM programs that are rejected during the attachment validation phase. When a BPF program intended for LSM cgroup attachment fails validation, the code path returns early without executing the bpf_prog_put function call that would normally decrement the program's reference counter. This results in the LSM program remaining in memory with an inflated reference count, preventing proper garbage collection and resource cleanup. The issue directly violates proper resource management principles and creates a persistent memory leak that can accumulate over time, particularly in systems with frequent BPF program attachment operations.
The operational impact of this vulnerability extends beyond simple memory consumption, as it creates potential security implications within the kernel's security module framework. When LSM programs remain in memory past their intended lifecycle, they can potentially be exploited to maintain persistent access vectors or create denial-of-service conditions through resource exhaustion. The vulnerability affects systems utilizing BPF LSM cgroup attachments, which are commonly found in containerized environments, security monitoring solutions, and advanced network filtering scenarios where fine-grained access control is implemented through eBPF programs. This flaw can be particularly problematic in high-throughput environments where frequent attachment operations occur, as the accumulated memory leaks can degrade system performance and stability.
Mitigation strategies for CVE-2022-50855 require immediate kernel updates to the patched version that properly implements reference count management during failed BPF program attachments. System administrators should prioritize applying the relevant kernel security patches as soon as possible, particularly in environments where BPF LSM cgroup functionality is actively used. Additionally, monitoring systems should be implemented to track memory usage patterns and identify potential resource leaks that may result from this vulnerability. Organizations utilizing container orchestration platforms or security monitoring solutions that rely on BPF LSM cgroup attachments should conduct thorough vulnerability assessments to ensure proper patching across their infrastructure. The fix addresses the underlying CWE-404 issue of improper resource release, aligning with ATT&CK technique T1548.002 for privilege escalation through kernel exploits and represents a fundamental correction to the kernel's resource management mechanisms.
This vulnerability demonstrates the critical importance of proper reference counting in kernel space programming and highlights how seemingly minor logic flaws can create persistent security and stability issues. The fix ensures that all BPF program attachment paths properly account for resource cleanup, preventing the accumulation of orphaned LSM program references that could be exploited in subsequent operations. The resolution addresses the specific requirements of the Linux kernel's security module framework and reinforces proper memory management practices that are essential for maintaining system integrity and preventing resource exhaustion attacks.