CVE-2022-0995: Linux Kernel Privilege Escalation Flaw

CVE-2022-0995 Overview

CVE-2022-0995 is an out-of-bounds write vulnerability in the Linux kernel's watch_queue event notification subsystem. The flaw allows a local, authenticated user to write beyond allocated kernel memory boundaries, corrupting adjacent kernel state. Successful exploitation enables local privilege escalation to root or causes a denial of service through kernel panic. The vulnerability affects Linux kernel versions through 5.17-rc7 and is tracked under [CWE-787]. Downstream products including Fedora 35 and multiple NetApp HCI storage platforms inherit the vulnerable code.

Critical Impact

A local unprivileged user can corrupt kernel memory through the watch_queue subsystem to escalate privileges and gain root access on affected Linux systems.

Affected Products

• Linux Kernel (including 5.17 release candidates rc1 through rc7)
• Fedora 35
• NetApp HCI storage platforms (H300E, H300S, H410C, H410S, H500E, H500S, H610C, H610S, H615C, H700E, H700S)

Discovery Timeline

• 2022-03-25 - CVE-2022-0995 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-0995

Vulnerability Analysis

The vulnerability resides in the watch_queue event notification subsystem, which provides a mechanism for userspace processes to receive notifications about kernel events such as key and keyring changes. The subsystem implements a filter mechanism allowing processes to specify which events they want to receive. The flaw is classified as an out-of-bounds write [CWE-787], meaning the kernel writes data past the boundary of an allocated buffer. This corrupts adjacent kernel data structures, which an attacker can shape to achieve arbitrary memory write primitives. With an EPSS score of 16.96% placing it in the 95th percentile, the vulnerability has elevated exploit probability compared to typical kernel flaws. Public exploits are available through Packet Storm Security, demonstrating practical privilege escalation paths.

Root Cause

The vulnerable code is in kernel/watch_queue.c, specifically in the filter handling logic. The filter implementation fails to correctly validate index boundaries when processing user-supplied filter specifications. As a result, the kernel writes filter data beyond the allocated watch filter buffer, overwriting adjacent kernel heap memory. The upstream fix is captured in commit 93ce9358, which corrects the boundary handling in the filter setup path.

Attack Vector

Exploitation requires local access with a valid unprivileged user account. The attacker invokes the keyctl() and pipe2() system calls to create a watch queue, then submits a crafted filter specification through IOC_WATCH_QUEUE_SET_FILTER ioctl. The malformed filter triggers the out-of-bounds write, allowing the attacker to corrupt kernel heap objects placed adjacent to the watch buffer. Through careful heap grooming, attackers convert this primitive into arbitrary code execution in kernel context, ultimately granting root privileges. No user interaction is required and the attack complexity is low.

Detailed exploitation walkthroughs are published at the Packet Storm advisory and the Red Hat Bugzilla entry.

Detection Methods for CVE-2022-0995

Indicators of Compromise

• Unexpected kernel oops or panic messages in dmesg referencing watch_queue.c or post_one_notification.
• Unprivileged processes invoking keyctl() followed by pipe2() with O_NOTIFICATION_PIPE and subsequent IOC_WATCH_QUEUE_SET_FILTER ioctls in rapid succession.
• Unexpected SUID shell processes or root-owned shells spawned from non-root parent processes.
• New or modified files in /etc/passwd, /etc/shadow, or /etc/sudoers written by previously unprivileged users.

Detection Strategies

• Monitor system call telemetry for the specific sequence of pipe2(O_NOTIFICATION_PIPE) followed by watch queue filter ioctls from non-administrative accounts.
• Audit kernel ring buffer logs for slab corruption warnings, KASAN reports, or general protection faults originating in the watch queue subsystem.
• Correlate process lineage anomalies where a low-privilege user transitions to UID 0 without invoking sudo, su, or other legitimate privilege transition utilities.

Monitoring Recommendations

• Enable auditd rules covering keyctl and ioctl system calls and ship logs to a centralized SIEM for correlation.
• Deploy kernel runtime monitoring tools that flag unexpected privilege transitions and kernel memory corruption events.
• Track installed kernel package versions across the fleet and alert on hosts still running unpatched kernels prior to the upstream fix commit 93ce9358.

How to Mitigate CVE-2022-0995

Immediate Actions Required

• Apply vendor-supplied kernel updates that include commit 93ce93587d36493f2f86921fa79921b3cba63fbb from the mainline Linux tree.
• For Fedora 35 hosts, install the patched kernel package via dnf update kernel and reboot.
• For NetApp HCI deployments, consult the NetApp Security Advisory NTAP-20220429-0001 for firmware updates.
• Restrict local shell and SSH access to trusted administrative users until patching is complete.

Patch Information

The upstream fix is included in Linux kernel commit 93ce9358. Distribution-specific patches are tracked in the Red Hat Bugzilla report. Verify your installed kernel version against your distribution's security advisory before considering the host remediated.

Workarounds

• Disable the watch_queue notification subsystem at build time by setting CONFIG_WATCH_QUEUE=n if recompiling the kernel is feasible.
• Block unprivileged access to the keyctl and notification pipe interfaces using seccomp filters in container runtimes and sandboxed workloads.
• Apply SELinux or AppArmor policies that prevent untrusted users from invoking watch queue related system calls.

# Verify the installed kernel version and confirm the patch is applied
uname -r
rpm -q --changelog kernel | grep -i "CVE-2022-0995"

# Optional: restrict keyctl via seccomp for container workloads (Docker example)
docker run --security-opt seccomp=/etc/docker/seccomp-no-keyctl.json <image>