CVE-2022-28388: Linux Kernel Use-After-Free Vulnerability

CVE-2022-28388 Overview

CVE-2022-28388 is a double free vulnerability in the Linux kernel's USB CAN driver, specifically in the usb_8dev_start_xmit function located in drivers/net/can/usb/usb_8dev.c. This memory corruption flaw affects Linux kernel versions through 5.17.1 and can be exploited by a local attacker to cause a denial of service condition through system crashes or memory corruption.

Critical Impact
Local attackers with low privileges can trigger a double free condition in the USB 8dev CAN driver, potentially causing kernel crashes, system instability, or denial of service affecting systems utilizing CAN bus interfaces.

Affected Products

Linux Kernel through version 5.17.1
Debian Linux 10.0 and 11.0
Fedora 34, 35, and 36
NetApp H300S, H500S, H700S, H300E, H500E, H700E, H410S, and H410C firmware

Discovery Timeline

April 3, 2022 - CVE-2022-28388 published to NVD
May 5, 2025 - Last updated in NVD database

Technical Details for CVE-2022-28388

Vulnerability Analysis

This vulnerability is classified as CWE-415 (Double Free), a memory corruption vulnerability that occurs when the same memory allocation is freed twice. In the context of the usb_8dev_start_xmit() function, the vulnerability exists in the error handling path where a socket buffer (skb) could be freed twice, once in the error path and again by the network stack or related cleanup routines.

The flaw is exploitable locally, meaning an attacker needs local access to the system but requires only low privileges to trigger the condition. The vulnerability primarily impacts system availability, as successful exploitation can lead to kernel crashes, memory corruption, or unpredictable system behavior without compromising data confidentiality or integrity.

Root Cause

The root cause of this vulnerability lies in improper error handling within the usb_8dev_start_xmit() function. When usb_submit_urb() fails, the original error path did not properly manage resource cleanup, leading to a scenario where dev_kfree_skb() could be called on the same socket buffer multiple times. The error path failed to account for the fact that the echo skb and other resources needed explicit cleanup when USB request block submission failed.

Attack Vector

The attack vector requires local access to the system with low privileges. An attacker can trigger the double free condition by:

Accessing a system with the USB 8dev CAN driver loaded
Initiating network transmissions through the CAN interface
Creating conditions that cause usb_submit_urb() to fail (such as through resource exhaustion or USB device disconnection)
The error path triggers improper cleanup leading to double free

The following patch demonstrates the fix applied to address the vulnerability:

 	atomic_inc(&priv->active_tx_urbs);
 
 	err = usb_submit_urb(urb, GFP_ATOMIC);
-	if (unlikely(err))
-		goto failed;
-	else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
+	if (unlikely(err)) {
+		can_free_echo_skb(netdev, context->echo_index, NULL);
+
+		usb_unanchor_urb(urb);
+		usb_free_coherent(priv->udev, size, buf, urb->transfer_dma);
+
+		atomic_dec(&priv->active_tx_urbs);
+
+		if (err == -ENODEV)
+			netif_device_detach(netdev);
+		else
+			netdev_warn(netdev, "failed tx_urb %d\n", err);
+		stats->tx_dropped++;
+	} else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
 		/* Slow down tx path */
 		netif_stop_queue(netdev);

Source: GitHub Linux Commit

The fix introduces proper inline error handling that explicitly cleans up the echo skb via can_free_echo_skb(), unanchors and frees the URB resources, decrements the active TX URB counter, and handles device detachment scenarios appropriately.

Detection Methods for CVE-2022-28388

Indicators of Compromise

Unexpected kernel crashes or panics related to the usb_8dev driver module
System log entries showing double free warnings or memory corruption errors in CAN-related components
Kernel oops messages referencing usb_8dev_start_xmit or related USB CAN functions
Abnormal memory allocation patterns in systems with active CAN bus interfaces

Detection Strategies

Monitor kernel logs (dmesg, /var/log/kern.log) for double free warnings, memory corruption errors, or oops messages related to the USB 8dev CAN driver
Implement kernel tracing with ftrace or eBPF to monitor usb_8dev_start_xmit() function behavior and error path execution
Deploy SentinelOne agents to detect kernel-level anomalies and memory corruption indicators
Utilize kernel debugging tools like KASAN (Kernel Address Sanitizer) to detect double free conditions in development environments

Monitoring Recommendations

Enable kernel logging at debug level for the CAN subsystem on systems utilizing USB CAN adapters
Configure system monitoring to alert on kernel crashes or unexpected reboots on affected systems
Implement automated kernel version checking to identify systems running vulnerable kernel versions (through 5.17.1)
Monitor USB device attachment/detachment events on systems where CAN interfaces are critical

How to Mitigate CVE-2022-28388

Immediate Actions Required

Update Linux kernel to a patched version that includes commit 3d3925ff6433f98992685a9679613a2cc97f3ce2
Apply vendor-specific security updates from Debian, Fedora, or NetApp as appropriate for your distribution
If immediate patching is not possible, consider disabling or unloading the usb_8dev kernel module on systems not requiring CAN bus functionality
Restrict local access to affected systems to minimize exploitation risk

Patch Information

The vulnerability has been addressed in the Linux kernel through commit 3d3925ff6433f98992685a9679613a2cc97f3ce2. Distribution-specific patches are available through:

Workarounds

Unload the vulnerable usb_8dev kernel module using modprobe -r usb_8dev if CAN bus functionality is not required
Blacklist the module by adding blacklist usb_8dev to /etc/modprobe.d/blacklist.conf to prevent automatic loading
Restrict physical access to USB ports on affected systems to prevent unauthorized USB CAN device connections
Implement network segmentation to isolate systems with CAN interfaces from less trusted network segments

bash

# Disable the vulnerable usb_8dev module
sudo modprobe -r usb_8dev

# Blacklist the module to prevent automatic loading
echo "blacklist usb_8dev" | sudo tee /etc/modprobe.d/blacklist-usb_8dev.conf

# Verify the module is not loaded
lsmod | grep usb_8dev

# Update initramfs to apply blacklist on boot
sudo update-initramfs -u

CVE-2022-28388 Overview

Critical Impact
Local attackers with low privileges can trigger a double free condition in the USB 8dev CAN driver, potentially causing kernel crashes, system instability, or denial of service affecting systems utilizing CAN bus interfaces.

Affected Products

Linux Kernel through version 5.17.1
Debian Linux 10.0 and 11.0
Fedora 34, 35, and 36
NetApp H300S, H500S, H700S, H300E, H500E, H700E, H410S, and H410C firmware

Discovery Timeline

April 3, 2022 - CVE-2022-28388 published to NVD
May 5, 2025 - Last updated in NVD database

Technical Details for CVE-2022-28388

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector requires local access to the system with low privileges. An attacker can trigger the double free condition by:

Accessing a system with the USB 8dev CAN driver loaded
Initiating network transmissions through the CAN interface
Creating conditions that cause usb_submit_urb() to fail (such as through resource exhaustion or USB device disconnection)
The error path triggers improper cleanup leading to double free

The following patch demonstrates the fix applied to address the vulnerability:

 	atomic_inc(&priv->active_tx_urbs);
 
 	err = usb_submit_urb(urb, GFP_ATOMIC);
-	if (unlikely(err))
-		goto failed;
-	else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
+	if (unlikely(err)) {
+		can_free_echo_skb(netdev, context->echo_index, NULL);
+
+		usb_unanchor_urb(urb);
+		usb_free_coherent(priv->udev, size, buf, urb->transfer_dma);
+
+		atomic_dec(&priv->active_tx_urbs);
+
+		if (err == -ENODEV)
+			netif_device_detach(netdev);
+		else
+			netdev_warn(netdev, "failed tx_urb %d\n", err);
+		stats->tx_dropped++;
+	} else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
 		/* Slow down tx path */
 		netif_stop_queue(netdev);

Source: GitHub Linux Commit

Detection Methods for CVE-2022-28388

Indicators of Compromise

Unexpected kernel crashes or panics related to the usb_8dev driver module
System log entries showing double free warnings or memory corruption errors in CAN-related components
Kernel oops messages referencing usb_8dev_start_xmit or related USB CAN functions
Abnormal memory allocation patterns in systems with active CAN bus interfaces

Detection Strategies

Monitor kernel logs (dmesg, /var/log/kern.log) for double free warnings, memory corruption errors, or oops messages related to the USB 8dev CAN driver
Implement kernel tracing with ftrace or eBPF to monitor usb_8dev_start_xmit() function behavior and error path execution
Deploy SentinelOne agents to detect kernel-level anomalies and memory corruption indicators
Utilize kernel debugging tools like KASAN (Kernel Address Sanitizer) to detect double free conditions in development environments

Monitoring Recommendations

Enable kernel logging at debug level for the CAN subsystem on systems utilizing USB CAN adapters
Configure system monitoring to alert on kernel crashes or unexpected reboots on affected systems
Implement automated kernel version checking to identify systems running vulnerable kernel versions (through 5.17.1)
Monitor USB device attachment/detachment events on systems where CAN interfaces are critical

How to Mitigate CVE-2022-28388

Immediate Actions Required

Update Linux kernel to a patched version that includes commit 3d3925ff6433f98992685a9679613a2cc97f3ce2
Apply vendor-specific security updates from Debian, Fedora, or NetApp as appropriate for your distribution
If immediate patching is not possible, consider disabling or unloading the usb_8dev kernel module on systems not requiring CAN bus functionality
Restrict local access to affected systems to minimize exploitation risk

Patch Information

The vulnerability has been addressed in the Linux kernel through commit 3d3925ff6433f98992685a9679613a2cc97f3ce2. Distribution-specific patches are available through:

Workarounds

Unload the vulnerable usb_8dev kernel module using modprobe -r usb_8dev if CAN bus functionality is not required
Blacklist the module by adding blacklist usb_8dev to /etc/modprobe.d/blacklist.conf to prevent automatic loading
Restrict physical access to USB ports on affected systems to prevent unauthorized USB CAN device connections
Implement network segmentation to isolate systems with CAN interfaces from less trusted network segments

bash

# Disable the vulnerable usb_8dev module
sudo modprobe -r usb_8dev

# Blacklist the module to prevent automatic loading
echo "blacklist usb_8dev" | sudo tee /etc/modprobe.d/blacklist-usb_8dev.conf

# Verify the module is not loaded
lsmod | grep usb_8dev

# Update initramfs to apply blacklist on boot
sudo update-initramfs -u

CVE-2022-28388: Linux Kernel Use-After-Free Vulnerability

CVE-2022-28388 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-28388

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-28388

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-28388

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-28388: Linux Kernel Use-After-Free Vulnerability

CVE-2022-28388 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-28388

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-28388

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-28388

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform