CVE-2022-24122 Overview
CVE-2022-24122 is a use-after-free vulnerability in the Linux kernel's kernel/ucount.c affecting versions 5.14 through 5.16.4. When unprivileged user namespaces are enabled, a ucounts object can outlive its namespace, creating a use-after-free condition that allows local attackers to escalate privileges on vulnerable systems.
Critical Impact
Local attackers with low privileges can exploit this use-after-free vulnerability to gain elevated privileges on Linux systems with unprivileged user namespaces enabled, potentially leading to full system compromise.
Affected Products
- Linux Kernel versions 5.14 through 5.16.4
- NetApp H-Series firmware (H410c, H300s, H500s, H700s, H300e, H500e, H700e, H410s)
- Fedora 34 and Fedora 35
Discovery Timeline
- 2022-01-29 - CVE-2022-24122 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24122
Vulnerability Analysis
The vulnerability exists in the user namespace accounting subsystem (kernel/ucount.c) of the Linux kernel. This use-after-free condition occurs because the ucounts object, which tracks resource usage within user namespaces, can persist beyond the lifetime of its associated namespace. When unprivileged user namespaces are enabled (a common configuration in modern Linux distributions), this creates a dangerous race condition where freed memory associated with a destroyed namespace can be subsequently accessed through a dangling ucounts reference.
The exploitation requires local access and low privileges, but does not require user interaction. An attacker can manipulate the timing of namespace creation and destruction to trigger the use-after-free condition, potentially corrupting kernel memory structures. This memory corruption can then be leveraged to overwrite critical kernel data structures, ultimately enabling privilege escalation from an unprivileged user to root.
Root Cause
The root cause is a missing reference count increment on the user namespace when creating new ucounts objects. Without proper reference counting, the namespace can be destroyed while ucounts objects still hold references to it. The fix addresses this by adding a get_user_ns() call when creating new ucounts entries, ensuring the namespace cannot be freed while ucounts objects reference it.
Attack Vector
The attack vector is local, requiring an attacker to have low-privilege access to a system running a vulnerable Linux kernel version with unprivileged user namespaces enabled. The attacker creates and manipulates user namespaces to trigger the race condition between namespace destruction and ucounts access. By carefully timing these operations, the attacker can cause the kernel to access freed memory, enabling arbitrary code execution in kernel context.
kfree(new);
} else {
hlist_add_head(&new->node, hashent);
+ get_user_ns(new->ns);
spin_unlock_irq(&ucounts_lock);
return new;
}
Source: GitHub Linux Commit Entry
The patch adds get_user_ns(new->ns) to properly increment the reference count on the namespace, preventing it from being freed while the ucounts object still references it.
Detection Methods for CVE-2022-24122
Indicators of Compromise
- Unusual kernel crash logs or oops messages related to kernel/ucount.c or user namespace operations
- Unexpected privilege escalation events from low-privilege user accounts
- Abnormal user namespace creation and destruction patterns in audit logs
- Memory corruption signatures in kernel crash dumps referencing ucounts structures
Detection Strategies
- Monitor for processes creating rapid sequences of user namespaces followed by quick destruction
- Implement kernel-level monitoring using tools like eBPF to detect unusual ucounts object access patterns
- Review system logs for kernel warnings related to reference counting errors in namespace handling
- Deploy endpoint detection solutions capable of identifying privilege escalation attempts
Monitoring Recommendations
- Enable kernel auditing for namespace-related syscalls (clone, unshare, setns with namespace flags)
- Configure SentinelOne agents to monitor for behavioral patterns consistent with namespace-based exploitation
- Implement alerting for unexpected root-level process spawning from non-privileged user contexts
- Monitor for suspicious kernel module loading or memory manipulation attempts following namespace operations
How to Mitigate CVE-2022-24122
Immediate Actions Required
- Update Linux kernel to version 5.16.5 or later, which contains the security fix
- If immediate patching is not possible, consider disabling unprivileged user namespaces as a temporary mitigation
- Apply vendor-specific patches from NetApp and Fedora as applicable to your environment
- Restrict local access to systems running vulnerable kernel versions
Patch Information
The vulnerability has been addressed in the upstream Linux kernel. The fix adds proper reference counting to ensure user namespaces cannot be freed while ucounts objects still reference them. Patches are available through:
- Linux Kernel Commit Update
- GitHub Linux Commit Entry
- NetApp Security Advisory
- Fedora package updates available via Fedora Package Announcements
Workarounds
- Disable unprivileged user namespaces by setting the kernel parameter kernel.unprivileged_userns_clone=0
- Restrict access to namespace-related system calls using seccomp profiles for containerized workloads
- Implement mandatory access control policies (SELinux, AppArmor) to limit namespace creation capabilities
- Apply defense-in-depth measures by limiting local user access to affected systems
# Disable unprivileged user namespaces (temporary workaround)
echo 0 > /proc/sys/kernel/unprivileged_userns_clone
# Make the change persistent across reboots
echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.d/99-disable-userns.conf
sysctl --system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
