CVE-2022-27666 Overview
CVE-2022-27666 is a heap buffer overflow vulnerability in the Linux kernel's IPsec Encapsulating Security Payload (ESP) transformation code. The flaw resides in net/ipv4/esp4.c and net/ipv6/esp6.c, where the ESP transformation routine allocates an insufficiently sized buffer for outbound packets. A local user with normal privileges can trigger the overflow to overwrite adjacent kernel heap objects. Successful exploitation enables local privilege escalation to root. The issue affects Linux kernel versions up to 5.17 release candidates, along with downstream distributions from Red Hat, Fedora, Debian, and NetApp ONTAP Select appliances. The vulnerability is tracked under [CWE-787] Out-of-Bounds Write.
Critical Impact
A local unprivileged user can overwrite kernel heap memory through the IPsec ESP transformation path, leading to full local privilege escalation on unpatched Linux systems.
Affected Products
- Linux kernel versions up to and including 5.17-rc7
- Red Hat Enterprise Linux 8 and Red Hat Virtualization 4.0
- Debian Linux 9, 10, 11 and Fedora 34, 35
- NetApp HCI storage and compute nodes (H300S/E, H500S/E, H700S/E, H410S, H410C)
Discovery Timeline
- 2022-03-23 - CVE-2022-27666 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-27666
Vulnerability Analysis
The vulnerability lives inside the ESP output path used by the Linux kernel's XFRM IPsec stack. When the kernel processes an outbound packet that requires ESP encryption, it constructs a scatter-gather list backed by pages allocated through the page fragment allocator. The transformation routine in esp_output_head() failed to enforce an upper bound on the combined size of the packet payload, ESP trailer, integrity check value, and any TCP/UDP encapsulation overhead. When the requested length exceeded the maximum page fragment size, the kernel wrote past the allocated buffer into adjacent heap objects.
The overflow occurs in kernel context against slab allocations, giving an attacker direct influence over neighboring kernel objects. Researchers demonstrated that a local user can shape the slab layout and use the overwrite to corrupt function pointers or reference counters, ultimately gaining CAP_SYS_ADMIN or root execution. The bug requires only a usable IPsec transform policy, which an unprivileged user can install when user namespaces are enabled on the target system.
Root Cause
The ESP transformation code computed the tail length and allocation size without validating that the total exceeded PAGE_SIZE << SKB_FRAG_PAGE_ORDER. The patch introduces an ESP_SKB_FRAG_MAXSIZE macro and an allocsz check that forces the kernel to fall back to a linearized skb when the size would overflow the fragment buffer.
Attack Vector
Exploitation is local and requires the attacker to send crafted traffic through an IPsec transform that they control. On distributions where unprivileged user namespaces are enabled, a normal user can create the namespace, install an XFRM state, and trigger the ESP transformation path entirely from userspace.
// Patch in include/net/esp.h adds a bound for fragment allocations
#include <linux/skbuff.h>
#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
struct ip_esp_hdr;
static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
// Patch in net/ipv4/esp4.c introduces allocsz validation in esp_output_head()
struct page *page;
struct sk_buff *trailer;
int tailen = esp->tailen;
unsigned int allocsz;
/* this is non-NULL only with TCP/UDP Encapsulation */
if (x->encap) {
Source: Linux kernel commit ebe48d3
Detection Methods for CVE-2022-27666
Indicators of Compromise
- Unexpected kernel oops or BUG: KASAN: slab-out-of-bounds entries in dmesg referencing esp_output_head or esp6_output_head.
- Unprivileged processes that suddenly acquire elevated capabilities or spawn root-owned shells after creating user namespaces.
- Loading of the esp4, esp6, or xfrm_user modules by non-administrative users on systems that do not normally use IPsec.
Detection Strategies
- Audit kernel ring buffer messages for slab corruption signatures and stack traces that include the ESP transformation functions.
- Monitor auditd for setsockopt calls with IPPROTO_IP and XFRM netlink operations originating from non-root users.
- Correlate user namespace creation (unshare(CLONE_NEWUSER)) with subsequent XFRM policy installation on multi-user systems.
Monitoring Recommendations
- Enable kernel address sanitizer (KASAN) and lockdown mode in test environments to surface heap corruption reproducers.
- Forward dmesg, auditd, and journald logs to a central analytics platform for cross-host pattern matching.
- Track installed kernel package versions across the fleet and alert when hosts run kernels predating the upstream fix.
How to Mitigate CVE-2022-27666
Immediate Actions Required
- Apply the vendor kernel updates from Red Hat, Debian, Fedora, and NetApp that incorporate commit ebe48d3 into the running kernel.
- Reboot systems after patching to ensure the vulnerable esp4/esp6 modules are reloaded from the fixed binaries.
- Disable unprivileged user namespaces on multi-tenant hosts where IPsec is not required for normal workloads.
Patch Information
The upstream fix is committed as ebe48d368e97d007bfeb76fcb065d6cfc4c96645 in the Linux kernel tree. Distribution patches are available through Debian Security Advisory DSA-5127, Debian Security Advisory DSA-5173, NetApp Security Advisory NTAP-20220429-0001, and Red Hat Bug 2061633.
Workarounds
- Blacklist the esp4 and esp6 kernel modules on hosts that do not require IPsec ESP transformations.
- Restrict creation of user namespaces by setting kernel.unprivileged_userns_clone=0 via sysctl.
- Limit CAP_NET_ADMIN to administrative accounts so unprivileged users cannot install XFRM states.
# Disable unprivileged user namespaces and block ESP modules
sysctl -w kernel.unprivileged_userns_clone=0
echo 'install esp4 /bin/true' | sudo tee /etc/modprobe.d/disable-esp.conf
echo 'install esp6 /bin/true' | sudo tee -a /etc/modprobe.d/disable-esp.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
