CVE-2022-0168 Overview
CVE-2022-0168 is a denial of service vulnerability in the Linux kernel's Common Internet File System (CIFS) implementation. The flaw resides in the smb2_ioctl_query_info function within fs/cifs/smb2ops.c. It stems from an incorrect handling of the return value from memdup_user, leading to a null pointer dereference [CWE-476]. A local attacker with CAP_SYS_ADMIN privileges can trigger the bug to crash the affected system. The vulnerability impacts the Linux kernel and downstream distributions including Red Hat Enterprise Linux 8.0 and 9.0.
Critical Impact
A local privileged user can crash the kernel by abusing the CIFS smb2_ioctl_query_info ioctl path, causing system-wide denial of service.
Affected Products
- Linux kernel (upstream, versions prior to the fix in commit d6f5e35)
- Red Hat Enterprise Linux 8.0
- Red Hat Enterprise Linux 9.0
Discovery Timeline
- 2022-08-26 - CVE-2022-0168 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0168
Vulnerability Analysis
The vulnerability exists in the CIFS client code path that services SMB2_IOC_QUERY_INFO ioctl requests. The smb2_ioctl_query_info function copies user-supplied data into kernel memory using the memdup_user helper. When memdup_user fails, it returns an ERR_PTR value rather than NULL. The function does not check the return value correctly, so the resulting error-encoded pointer is later dereferenced as if it were a valid kernel buffer. This triggers a kernel-mode null or invalid pointer dereference, panicking the system or crashing the executing task.
Exploitation requires local access and CAP_SYS_ADMIN, which restricts the attack surface to privileged users, containers granted that capability, or scenarios where another flaw enables capability escalation. The impact is limited to availability — confidentiality and integrity are not affected.
Root Cause
The root cause is incorrect error handling of the pointer returned by memdup_user. The CIFS code path treats an ERR_PTR value as a valid allocation, violating the kernel API contract documented for memdup_user. The upstream fix in commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 corrects the return value check before the pointer is used.
Attack Vector
An authenticated local user with CAP_SYS_ADMIN issues a crafted SMB2_IOC_QUERY_INFO ioctl against a CIFS file descriptor. By supplying input that forces memdup_user to fail, such as an inaccessible user buffer or excessive length, the attacker drives the kernel into the unchecked error path. The resulting dereference produces a kernel oops and denial of service. No verified public proof-of-concept code is available; the vulnerability is described in prose by Red Hat's advisory and the upstream commit message.
Detection Methods for CVE-2022-0168
Indicators of Compromise
- Kernel oops or panic messages referencing smb2_ioctl_query_info or fs/cifs/smb2ops.c in dmesg or /var/log/messages.
- Unexpected reboots or hung tasks on hosts that mount or serve CIFS shares.
- Repeated ioctl calls against CIFS file descriptors from non-administrative workloads.
Detection Strategies
- Monitor kernel ring buffer output for stack traces involving CIFS functions and null pointer dereferences.
- Audit usage of the CAP_SYS_ADMIN capability in containers and service accounts that interact with mounted CIFS shares.
- Correlate process-level ioctl activity with subsequent kernel crash events using endpoint telemetry.
Monitoring Recommendations
- Enable auditd rules for ioctl syscalls on processes touching CIFS-mounted paths.
- Track kernel version inventory across Linux fleet to identify hosts running unpatched kernels.
- Alert on availability incidents on CIFS-using hosts that coincide with privileged user activity.
How to Mitigate CVE-2022-0168
Immediate Actions Required
- Apply the Linux kernel update containing upstream commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 or the equivalent vendor patch.
- For Red Hat Enterprise Linux 8 and 9, install the kernel package update referenced in the Red Hat CVE-2022-0168 Advisory.
- Reboot affected hosts to load the patched kernel.
Patch Information
The upstream fix is available in the mainline Linux kernel via Linux Kernel Commit d6f5e35, which adds correct error handling for the memdup_user return value in smb2_ioctl_query_info. Distribution-specific advisories are tracked in the Red Hat Bug Report #2037386.
Workarounds
- Restrict CAP_SYS_ADMIN to trusted administrative accounts and remove the capability from container workloads where it is not required.
- Unload or blacklist the cifs kernel module on systems that do not require CIFS/SMB client functionality.
- Limit user access to CIFS mount points by enforcing strict filesystem permissions and namespace isolation.
# Verify whether the cifs module is loaded and unload it if unused
lsmod | grep cifs
sudo modprobe -r cifs
# Prevent the module from loading at boot
echo 'blacklist cifs' | sudo tee /etc/modprobe.d/blacklist-cifs.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
