Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-0185

CVE-2022-0185: Linux Kernel Privilege Escalation Flaw

CVE-2022-0185 is a heap-based buffer overflow privilege escalation vulnerability in the Linux Kernel that allows local users to gain elevated privileges. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2022-0185 Overview

CVE-2022-0185 is a heap-based buffer overflow in the legacy_parse_param function within the Filesystem Context functionality of the Linux kernel. The function fails to correctly verify the length of supplied parameters, allowing an attacker to write beyond an allocated heap buffer. An unprivileged local user can trigger the flaw when unprivileged user namespaces are enabled. Otherwise, an attacker requires namespaced CAP_SYS_ADMIN privileges. Successful exploitation leads to local privilege escalation to root. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, and public proof-of-concept code exists.

Critical Impact

Local attackers can achieve root privilege escalation on affected Linux systems through a heap overflow in the kernel filesystem mount path.

Affected Products

  • Linux Kernel (versions prior to the fix in commit 722d94847de2)
  • NetApp HCI compute and storage nodes (H410C, H300S, H500S, H700S, H300E, H500E, H700E, H410S) including their firmware
  • Any Linux distribution shipping vulnerable kernel builds with unprivileged user namespaces enabled

Discovery Timeline

  • 2022-01-18 - Public disclosure on the OpenWall oss-security mailing list
  • 2022-02-11 - CVE-2022-0185 published to NVD
  • 2025-11-06 - Last updated in NVD database

Technical Details for CVE-2022-0185

Vulnerability Analysis

The flaw resides in the kernel's Filesystem Context API, specifically in legacy_parse_param in fs/fs_context.c. This function handles mount option parsing for filesystems that do not implement the new Filesystem Context API and instead fall back to legacy handling. The size calculation used to validate parameter length contains an integer underflow [CWE-191] that ultimately causes a heap-based out-of-bounds write [CWE-190]. By supplying crafted mount parameters, a local attacker overwrites adjacent kernel heap objects. Skilled exploitation pivots this primitive into arbitrary kernel read/write and full privilege escalation. Public exploits target msg_msg and similar slab objects to corrupt kernel structures and overwrite credentials.

Root Cause

The legacy_parse_param function calculates remaining buffer space using a subtraction that can underflow when the supplied parameter length exceeds the page-aligned buffer size. Because the result is treated as an unsigned value, the subsequent length check passes and memcpy writes attacker-controlled data past the end of the allocated PAGE_SIZE kmalloc buffer. The fix introduced in upstream commit 722d94847de2 adds a proper bounds check before the copy.

Attack Vector

Exploitation requires local access and the ability to create a new mount namespace. On distributions that enable unprivileged user namespaces by default, any local user can reach the vulnerable code path. Otherwise, the attacker needs CAP_SYS_ADMIN inside a namespace. The attacker calls unshare(CLONE_NEWUSER | CLONE_NEWNS), then invokes fsopen against a legacy filesystem type such as 9p or cgroup, followed by fsconfig with an oversized option value. The resulting kernel heap corruption is shaped into a privilege escalation by manipulating the slab allocator. Detailed exploitation walkthroughs are available in the WillsRoot CVE-2022-0185 Analysis and the Crusaders of Rust CVE-2022-0185 PoC.

Detection Methods for CVE-2022-0185

Indicators of Compromise

  • Unexpected unshare calls combined with fsopen, fsconfig, or fspick syscalls from unprivileged user processes
  • Kernel oops or panic messages referencing legacy_parse_param or vfs_parse_fs_string
  • New root-owned shells spawned from non-root parent processes shortly after mount-related syscalls
  • Loading of legacy filesystem modules (for example 9p, cgroup, nfs) by non-administrative users

Detection Strategies

  • Audit kernel syscall telemetry for unusual sequences of unshare(CLONE_NEWUSER) followed by fsconfig with large value buffers
  • Enable auditd rules on mount, fsopen, and fsconfig syscalls and alert on invocations by unprivileged UIDs
  • Hunt for processes that transition from a non-root UID to UID 0 without using sudo, su, or a setuid binary
  • Correlate kernel log entries (dmesg) containing slab corruption warnings with recent local user activity

Monitoring Recommendations

  • Forward /var/log/audit/audit.log and kernel ring buffer events to a centralized SIEM for correlation
  • Track creation of user namespaces via /proc/sys/user/max_user_namespaces usage and namespace enumeration in /proc/*/ns/
  • Monitor for the presence of known PoC binaries and source artifacts referenced in the public exploit repository

How to Mitigate CVE-2022-0185

Immediate Actions Required

  • Apply the upstream kernel patch from commit 722d94847de2 or the vendor-supplied kernel update for your distribution
  • Reboot affected systems after kernel package installation to load the patched image
  • For NetApp HCI nodes, apply the firmware updates referenced in the NetApp Security Advisory NTAP-20220225-0003
  • Inventory all Linux hosts and containers and prioritize patching for multi-tenant systems where untrusted local users exist

Patch Information

The fix is contained in the upstream Linux kernel commit 722d94847de2 ("vfs: fs_context: fix up param length parsing in legacy_parse_param"). See the Linux kernel commit for the change. Distribution vendors backported the patch into their stable kernel branches in January and February 2022. Refer to the OpenWall oss-security thread and the CISA Known Exploited Vulnerabilities entry for additional vendor references.

Workarounds

  • Disable unprivileged user namespaces where the feature is not required by setting kernel.unprivileged_userns_clone=0 or user.max_user_namespaces=0
  • Restrict access to mount-related syscalls using a seccomp profile that blocks unshare, fsopen, fsconfig, and mount for untrusted workloads
  • Apply SELinux or AppArmor policies that deny CAP_SYS_ADMIN to container workloads and unprivileged services
bash
# Configuration example: disable unprivileged user namespaces until patched
sysctl -w kernel.unprivileged_userns_clone=0
sysctl -w user.max_user_namespaces=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-cve-2022-0185.conf
echo 'user.max_user_namespaces=0' >> /etc/sysctl.d/99-cve-2022-0185.conf
sysctl -p /etc/sysctl.d/99-cve-2022-0185.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne