Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-29581

CVE-2022-29581: Linux Kernel Privilege Escalation Flaw

CVE-2022-29581 is a privilege escalation vulnerability in the Linux Kernel net/sched component that allows local attackers to gain root access. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2022-29581 Overview

CVE-2022-29581 is a local privilege escalation vulnerability in the Linux kernel's net/sched subsystem. The flaw is an improper update of a reference count [CWE-911] that allows a local, unprivileged attacker to escalate privileges to root. The issue affects Linux kernel versions from 4.14 up to versions prior to 5.18, impacting major distributions including Debian, Ubuntu, and NetApp HCI storage firmware. The vulnerability was disclosed publicly via the Openwall oss-security list on May 18, 2022, with a fix committed to the upstream kernel as commit 3db09e762dc79584a69c10d74a6b98f89a9979f8.

Critical Impact

A local attacker with the ability to create network classifiers via unprivileged user namespaces can trigger the reference count flaw to gain full root privileges on affected Linux systems.

Affected Products

  • Linux Kernel versions 4.14 through versions prior to 5.18
  • Debian Linux 10 and Ubuntu LTS releases (14.04, 16.04 ESM, 18.04, 20.04, 22.04)
  • NetApp HCI storage nodes including H300S/E, H500S/E, H700S/E, H410S, and H410C firmware

Discovery Timeline

  • 2022-05-17 - CVE-2022-29581 published to NVD
  • 2022-05-18 - Vulnerability disclosed on the Openwall oss-security mailing list
  • 2022-06-29 - NetApp publishes advisory NTAP-20220629-0005
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-29581

Vulnerability Analysis

The vulnerability resides in the Linux kernel traffic control (tc) subsystem under net/sched. The kernel improperly updates a reference counter on a kernel object, leading to a use-after-free condition tracked under the CWE-911 class of improper reference count update bugs. When the counter is decremented out of sequence, the kernel can free an object that still has live references, allowing an attacker to reclaim that memory and manipulate kernel structures.

Exploitation requires local access and the ability to invoke the tc netlink interfaces. On distributions that enable unprivileged user namespaces, an unprivileged user can obtain CAP_NET_ADMIN inside a namespace and reach the vulnerable code path without prior privileges. Successful exploitation results in arbitrary kernel memory corruption, which an attacker converts into code execution at ring 0 to obtain root.

Root Cause

The bug is an improper update of reference count in a net/sched classifier object. The fix landed in upstream commit 3db09e762dc79584a69c10d74a6b98f89a9979f8, which corrects the reference handling so that the object is not released while still in use. Because the freed object lives in a slab cache also used by other subsystems, an attacker can perform heap grooming to place attacker-controlled data into the freed slot.

Attack Vector

The attack vector is local. An attacker executes a binary on the target system that opens an AF_NETLINK socket of family NETLINK_ROUTE, configures a queueing discipline, and manipulates classifier filters in a sequence that triggers the unbalanced reference count. Repeated allocation and free cycles are used to reclaim the freed object with attacker-controlled content, after which kernel control flow is hijacked. No user interaction is required beyond running the exploit binary.

The vulnerability is described in prose only; no verified public proof-of-concept is referenced in the NVD record. Technical details are available in the Openwall OSS-Security discussion and the upstream kernel commit.

Detection Methods for CVE-2022-29581

Indicators of Compromise

  • Unexpected kernel oops or general protection fault entries in dmesg referencing functions inside net/sched/cls_*.c or net/sched/sch_*.c.
  • Unprivileged processes invoking unshare(CLONE_NEWUSER | CLONE_NEWNET) followed by rapid tc filter creation and deletion via AF_NETLINK sockets.
  • New SUID root shells, modifications to /etc/passwd, or unexpected processes parented to a user-namespace-spawned shell.

Detection Strategies

  • Inventory kernel versions across the fleet and flag any host running a kernel between 4.14 and 5.17.x inclusive that has not received a backported fix.
  • Audit auditd for setns, unshare, and clone system calls combined with socket creation of family AF_NETLINK and NETLINK_ROUTE from non-root UIDs.
  • Monitor for processes that transition from a non-zero UID to UID 0 without traversing a known authentication binary such as sudo, su, or pkexec.

Monitoring Recommendations

  • Enable kernel lockdown and KASLR auditing where supported, and forward kernel ring buffer logs to a central log store for retention and correlation.
  • Track invocations of tc qdisc add and tc filter add from user contexts that historically do not perform network administration.
  • Alert on creation of user namespaces by accounts that should not require them, particularly on servers exposing only application workloads.

How to Mitigate CVE-2022-29581

Immediate Actions Required

  • Update the Linux kernel to version 5.18 or later, or apply the distribution backport that includes commit 3db09e762dc79584a69c10d74a6b98f89a9979f8.
  • Apply vendor patches from the Debian Security Advisory DSA-5173, Ubuntu Kernel Live Patch notices LSN-0086-1 and LSN-0089-1, and the NetApp advisory NTAP-20220629-0005.
  • Reboot affected systems after patching, or use kernel live patching where available to close the window without downtime.

Patch Information

The upstream fix is kernel commit 3db09e762d, included in Linux 5.18. Distribution-specific patched packages are tracked through Debian DSA-5173 and the Ubuntu LSN notices linked above. NetApp HCI customers should follow guidance in NTAP-20220629-0005 for storage node firmware updates.

Workarounds

  • Disable unprivileged user namespaces by setting kernel.unprivileged_userns_clone = 0 on Debian/Ubuntu or user.max_user_namespaces = 0 on systems that support it, removing the most accessible path to the vulnerable code.
  • Restrict access to the tc interface and CAP_NET_ADMIN to trusted administrators, and avoid running untrusted code on shared multi-tenant Linux hosts.
  • Apply a seccomp profile to high-risk workloads that blocks unshare, setns, and clone calls creating new network or user namespaces.
bash
# Configuration example: disable unprivileged user namespaces
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' | sudo tee /etc/sysctl.d/99-cve-2022-29581.conf

# Verify installed kernel version contains the fix
uname -r
apt list --installed 2>/dev/null | grep linux-image

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne