CVE-2022-28356 Overview
CVE-2022-28356 is a memory leak vulnerability discovered in the Linux kernel's LLC (Logical Link Control) networking subsystem. The vulnerability exists in net/llc/af_llc.c where a refcount leak bug can be exploited to cause resource exhaustion, potentially leading to a denial of service condition on affected systems.
The flaw occurs in the llc_ui_bind() function where network device references are not properly released when error conditions occur during socket binding operations. This reference count leak can accumulate over time, preventing proper resource cleanup and eventually impacting system stability.
Critical Impact
Local attackers with low privileges can exploit this memory leak to cause denial of service through resource exhaustion on Linux systems running kernel versions before 5.17.1.
Affected Products
- Linux Kernel versions before 5.17.1
- Debian Linux 9.0 (Stretch)
- Debian Linux 10.0 (Buster)
- Debian Linux 11.0 (Bullseye)
Discovery Timeline
- 2022-04-02 - CVE-2022-28356 published to NVD
- 2025-05-05 - Last updated in NVD database
Technical Details for CVE-2022-28356
Vulnerability Analysis
The vulnerability resides in the LLC socket binding implementation within the Linux kernel networking stack. When a user-space application attempts to bind an LLC socket to a network interface, the kernel increments a reference count on the network device. However, if the binding operation fails for any reason after the reference has been incremented, the code path fails to properly decrement the reference count before returning an error.
This creates a situation where each failed bind attempt leaks one reference to the network device. Since reference counts control when kernel objects are freed, leaked references prevent proper resource cleanup. An attacker with local access can repeatedly trigger failed bind operations to exhaust kernel memory resources.
The vulnerability requires local access and low privileges to exploit, as the attacker must be able to create and bind LLC sockets. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system.
Root Cause
The root cause is improper cleanup handling in the error path of the llc_ui_bind() function. When the function allocates and increments a reference to a network device but subsequently encounters an error condition, it returns the error code without first releasing the device reference that was acquired. This violates the kernel's reference counting contract which requires that every reference increment be balanced with a corresponding decrement.
Attack Vector
The attack vector is local, requiring an authenticated user with the ability to create network sockets. The attacker would:
- Create an LLC socket using the socket system call
- Attempt to bind the socket to a network interface in a way that triggers an error condition
- Repeat this process to leak references
- Continue until kernel resources are exhausted, causing system instability or denial of service
The low attack complexity and absence of user interaction requirements make this vulnerability relatively straightforward to exploit once local access is obtained.
sock_reset_flag(sk, SOCK_ZAPPED);
rc = 0;
out:
+ if (rc) {
+ dev_put_track(llc->dev, &llc->dev_tracker);
+ llc->dev = NULL;
+ }
return rc;
}
Source: GitHub Linux Commit
The patch adds proper cleanup logic in the error path. When rc indicates an error (non-zero), the code now calls dev_put_track() to release the network device reference and sets llc->dev to NULL to prevent use-after-free scenarios.
Detection Methods for CVE-2022-28356
Indicators of Compromise
- Unusual memory consumption growth in kernel space over time
- Increasing network device reference counts without corresponding decrements
- System performance degradation correlating with LLC socket operations
- Kernel warnings or errors related to network device reference counting
Detection Strategies
- Monitor system memory usage for gradual kernel memory exhaustion patterns
- Audit processes creating LLC sockets using syscall monitoring
- Track kernel log messages for reference counting warnings in the networking subsystem
- Implement file integrity monitoring to verify kernel version matches patched releases
Monitoring Recommendations
- Deploy endpoint detection solutions that monitor for unusual socket creation patterns
- Configure kernel auditing to log LLC socket operations and bind failures
- Establish baseline metrics for kernel memory usage to detect anomalous growth
- Use SentinelOne's kernel-level visibility to detect exploitation attempts targeting networking subsystems
How to Mitigate CVE-2022-28356
Immediate Actions Required
- Update Linux kernel to version 5.17.1 or later to receive the security fix
- Apply distribution-specific security patches from Debian or other vendors
- Restrict local access to systems where kernel updates cannot be immediately applied
- Monitor for unusual system resource consumption as an interim measure
Patch Information
The vulnerability has been patched in Linux kernel version 5.17.1 and backported to supported distribution kernels. The fix is documented in the Linux Kernel ChangeLog 5.17.1 and the specific commit can be reviewed at the GitHub Linux Commit.
Distribution-specific patches are available through:
- Debian Security Advisory DSA-5127
- Debian Security Advisory DSA-5173
- Debian LTS Announcement
- NetApp Security Advisory NTAP-20220506-0006
Workarounds
- Limit user access to systems running vulnerable kernel versions
- Use kernel module blacklisting to disable LLC protocol support if not required (blacklist llc)
- Implement resource limits (cgroups) to constrain the impact of memory exhaustion attacks
- Restrict socket creation capabilities using Linux Security Modules (SELinux, AppArmor)
# Disable LLC module if not needed
echo "blacklist llc" >> /etc/modprobe.d/blacklist-llc.conf
modprobe -r llc
# Verify current kernel version
uname -r
# Check for available kernel updates (Debian/Ubuntu)
apt update && apt list --upgradable | grep linux-image
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
