CVE-2022-24448 Overview
CVE-2022-24448 is an information disclosure vulnerability discovered in fs/nfs/dir.c within the Linux kernel before version 5.16.5. The vulnerability occurs when an application sets the O_DIRECTORY flag and attempts to open a regular file. In this scenario, nfs_atomic_open() performs a regular lookup, and when a regular file is found, the expected ENOTDIR error should be returned. Instead, the server returns uninitialized data in the file descriptor, potentially exposing sensitive kernel memory contents to local attackers.
Critical Impact
Local attackers with low privileges can potentially access uninitialized kernel memory through improper NFS directory handling, leading to information disclosure.
Affected Products
- Linux Kernel versions before 5.16.5
- Debian Linux 9.0
- Debian Linux 10.0
- Debian Linux 11.0
Discovery Timeline
- February 4, 2022 - CVE-2022-24448 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-24448
Vulnerability Analysis
This vulnerability stems from improper exception handling (CWE-755) in the NFS (Network File System) implementation within the Linux kernel. When an application uses the O_DIRECTORY flag with the open() system call, it explicitly indicates that it expects to open a directory. The NFS atomic open function nfs_atomic_open() should validate this expectation and return ENOTDIR when the target is a regular file rather than a directory.
However, the vulnerable code path fails to properly handle this case. Instead of returning the appropriate error, the function allows the operation to proceed with uninitialized data in the file descriptor structure. This uninitialized memory may contain residual kernel data from previous operations, which could be disclosed to the local user.
The vulnerability requires local access and low-level privileges to exploit, limiting its attack surface. The attacker must be able to execute code on the system and interact with NFS-mounted filesystems to trigger the vulnerable code path.
Root Cause
The root cause lies in the nfs_atomic_open() function within fs/nfs/dir.c. When performing a lookup operation with the LOOKUP_DIRECTORY flag set, the function fails to check whether the found inode corresponds to a directory using S_ISDIR(). This missing validation allows the function to return success with uninitialized file descriptor data instead of properly returning the -ENOTDIR error code when a non-directory file is encountered.
Attack Vector
The attack requires local access to a system with NFS-mounted filesystems. An attacker with low privileges can craft a malicious application that:
- Sets the O_DIRECTORY flag when calling open()
- Targets a regular file on an NFS mount
- Receives uninitialized memory content in the returned file descriptor
The following patch from the Linux kernel demonstrates how the vulnerability was addressed in fs/nfs/dir.c:
no_open:
res = nfs_lookup(dir, dentry, lookup_flags);
+ if (!res) {
+ inode = d_inode(dentry);
+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+ !S_ISDIR(inode->i_mode))
+ res = ERR_PTR(-ENOTDIR);
+ } else if (!IS_ERR(res)) {
+ inode = d_inode(res);
+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+ !S_ISDIR(inode->i_mode)) {
+ dput(res);
+ res = ERR_PTR(-ENOTDIR);
+ }
+ }
if (switched) {
d_lookup_done(dentry);
if (!res)
Source: Linux Commit ac79516
An additional patch in fs/nfs/nfs4file.c reverts special handling for the Linux file open access mode:
return err;
if ((openflags & O_ACCMODE) == 3)
- return nfs_open(inode, filp);
+ openflags--;
/* We can't create new files here */
openflags &= ~(O_CREAT|O_EXCL);
Source: Linux Commit ab0fc21
Detection Methods for CVE-2022-24448
Indicators of Compromise
- Unusual open() system calls with O_DIRECTORY flag targeting regular files on NFS mounts
- Applications attempting to read from file descriptors opened with directory flags on non-directory files
- Anomalous NFS client behavior with repeated lookup operations followed by unexpected data access
Detection Strategies
- Monitor system calls using auditd for open() calls combining O_DIRECTORY with non-directory targets on NFS filesystems
- Implement kernel-level monitoring for nfs_atomic_open() function calls that return unexpected success states
- Deploy endpoint detection solutions to identify applications exhibiting suspicious NFS interaction patterns
Monitoring Recommendations
- Enable comprehensive audit logging for NFS operations, particularly directory-related system calls
- Monitor for processes accessing file descriptors in unexpected ways following failed directory opens
- Review kernel logs for NFS-related errors or warnings that may indicate exploitation attempts
- Track kernel version deployments across infrastructure to identify systems running vulnerable versions
How to Mitigate CVE-2022-24448
Immediate Actions Required
- Update Linux kernel to version 5.16.5 or later immediately
- Apply vendor-specific patches for Debian systems via DSA-5092 and DSA-5096
- Review and restrict NFS mount access to trusted users only
- Implement least-privilege principles for users with access to NFS-mounted filesystems
Patch Information
The vulnerability has been addressed in Linux kernel version 5.16.5. The fix adds proper validation in the nfs_atomic_open() function to check if the inode is a directory when the LOOKUP_DIRECTORY flag is set, returning -ENOTDIR when appropriate.
Key patches:
Debian users should refer to Debian LTS Announcement #11 and Debian LTS Announcement #12 for distribution-specific updates.
Workarounds
- Restrict NFS mount access to only essential users and services
- Implement network segmentation to limit NFS traffic to trusted network segments
- Use SELinux or AppArmor policies to restrict application access to NFS operations
- Monitor and alert on suspicious NFS-related system call patterns
# Check current kernel version for vulnerability status
uname -r
# Versions before 5.16.5 are vulnerable
# Verify NFS module status
lsmod | grep nfs
# Review NFS mounts that may be affected
mount | grep nfs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
