CVE-2022-43750 Overview
CVE-2022-43750 is an out-of-bounds write vulnerability [CWE-787] in the Linux kernel's usbmon USB monitoring subsystem. The flaw resides in drivers/usb/mon/mon_bin.c and allows a local user-space client with access to the monitor device to corrupt the monitor's internal memory through a writable memory mapping. The issue affects the Linux kernel before 5.19.15 and 6.x before 6.0.1, as well as Debian Linux distributions shipping vulnerable kernels. Linux maintainers addressed the issue by enforcing read-only semantics on the mmapped buffer used by usbmon clients.
Critical Impact
Authenticated local attackers with privileged access to the usbmon interface can corrupt kernel-managed monitor memory, leading to loss of confidentiality, integrity, and availability of the affected host.
Affected Products
- Linux Kernel versions prior to 5.19.15
- Linux Kernel 6.x versions prior to 6.0.1
- Debian Linux 10.0 (and related LTS-supported kernel packages)
Discovery Timeline
- 2022-10-26 - CVE-2022-43750 published to the National Vulnerability Database (NVD)
- 2022-11 - Debian LTS advisory issued covering the affected kernel packages
- 2022-12 - Additional Debian LTS advisory published
- 2025-05-07 - Last updated in NVD database
Technical Details for CVE-2022-43750
Vulnerability Analysis
The usbmon facility exposes a binary interface at /dev/usbmonN that lets privileged user-space tools (such as Wireshark and tshark) capture USB traffic. Clients map a ring buffer into their address space using mmap() to consume USB events efficiently. The vulnerable implementation of mon_bin_mmap() in drivers/usb/mon/mon_bin.c accepted writable mappings on a buffer that the kernel treated as a producer-only region. A user-space process could then write into pages the kernel later modified, corrupting usbmon internal state and producing an out-of-bounds write condition [CWE-787] inside kernel-managed memory.
Root Cause
The root cause is missing enforcement of read-only mapping semantics in the mon_bin_mmap() handler. The function did not reject VM_WRITE requests and did not clear VM_MAYWRITE, leaving the shared monitor buffer mutable from user space. Because the kernel concurrently writes USB event metadata into the same pages, user modifications corrupt structures the monitor later dereferences.
Attack Vector
Exploitation requires local access and elevated privileges sufficient to open the usbmon character device, which is typically restricted to root or to users in a packet capture group. An attacker opens /dev/usbmonN, issues mmap() with PROT_WRITE, and then writes attacker-controlled bytes into the shared region. Subsequent USB event processing by the kernel operates on the tampered memory, enabling memory corruption and potential privilege escalation within the kernel context.
{
/* don't do anything here: "fault" will set up page table entries */
vma->vm_ops = &mon_bin_vm_ops;
+
+ if (vma->vm_flags & VM_WRITE)
+ return -EPERM;
+
+ vma->vm_flags &= ~VM_MAYWRITE;
vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
vma->vm_private_data = filp->private_data;
mon_bin_vma_open(vma);
Source: Linux Kernel Commit a659daf. The patch returns -EPERM for any mmap() request that includes VM_WRITE and clears VM_MAYWRITE so user space cannot later upgrade the mapping to writable.
Detection Methods for CVE-2022-43750
Indicators of Compromise
- Unexpected processes opening /dev/usbmon0, /dev/usbmon1, or other usbmon devices outside of legitimate capture workflows (e.g., Wireshark, tshark, tcpdump).
- Kernel oops, BUG, or warning messages referencing mon_bin, mon_bin_mmap, or mon_bin_vma_* functions in dmesg and /var/log/kern.log.
- Non-administrative accounts gaining membership in groups that grant access to packet capture devices.
Detection Strategies
- Audit open() and mmap() syscalls targeting /dev/usbmon* devices using auditd or eBPF-based syscall tracing.
- Compare running kernel versions against fixed releases (uname -r) across the fleet and flag hosts still on Linux < 5.19.15 or 6.0 without the patch.
- Hunt for processes invoking mmap() with PROT_WRITE on usbmon file descriptors, which is anomalous for legitimate capture tools.
Monitoring Recommendations
- Forward kernel logs and audit events to a centralized SIEM and alert on mon_bin crash signatures.
- Track package versions of linux-image-* on Debian-based hosts via configuration management to identify unpatched systems.
- Monitor for new local accounts or setuid invocations that interact with USB monitoring devices.
How to Mitigate CVE-2022-43750
Immediate Actions Required
- Upgrade the Linux kernel to 5.19.15, 6.0.1, or later, or apply the distribution-provided backport that includes commit a659daf63d16aa883be42f3f34ff84235c302198.
- On Debian systems, install the kernel updates referenced in the Debian LTS Announcement November 2022 and Debian LTS Announcement December 2022.
- Restrict access to /dev/usbmon* to a minimal set of administrative users and review group membership.
Patch Information
The upstream fix is commit a659daf63d16aa883be42f3f34ff84235c302198 ("usb: mon: make mmapped memory read only") and shipped in the Linux Kernel ChangeLog 5.19.15 and the Linux Kernel ChangeLog 6.0.1. The patch rejects writable mappings on the usbmon binary device and clears VM_MAYWRITE to prevent later upgrades to a writable mapping.
Workarounds
- Unload the usbmon kernel module on systems that do not require USB traffic capture: modprobe -r usbmon.
- Blacklist usbmon in /etc/modprobe.d/ to prevent automatic loading until the kernel is patched.
- Tighten permissions on /dev/usbmon* so only trusted administrators can open the devices.
# Configuration example: disable usbmon until the kernel is patched
echo "blacklist usbmon" | sudo tee /etc/modprobe.d/disable-usbmon.conf
sudo modprobe -r usbmon
# Verify current kernel version against fixed releases
uname -r
# Restrict access to the usbmon character devices
sudo chmod 600 /dev/usbmon* 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
