NVD Vulnerability Detail

CVE-2022-48935

Summary	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block.
Publication Date	Aug. 22, 2024, 1:15 p.m.
Registration Date	Aug. 26, 2024, 4:57 p.m.
Last Update	Aug. 23, 2024, 10:45 a.m.

CVSS3.1 : MEDIUM
スコア	5.5
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	低
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	高

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:linux:linux_kernel::::::::	5.16			5.16.12
cpe:2.3:o:linux:linux_kernel::::::::	5.11			5.15.26
cpe:2.3:o:linux:linux_kernel::::::::	4.20			5.4.262
cpe:2.3:o:linux:linux_kernel::::::::	5.5			5.10.198
cpe:2.3:o:linux:linux_kernel::::::::				4.19.316

Related information, measures and tools

No	URL	タグ
1	https://git.kernel.org/stable/c/88c795491bf45a8c08a0f94c9ca4f13722e51013	Patch
2	https://git.kernel.org/stable/c/b05a24cc453e3cd51b0c79e3c583b5d495eba1d6	Patch
3	https://git.kernel.org/stable/c/e51f30826bc5384801df98d76109c94953d1df64	Patch
4	https://git.kernel.org/stable/c/8ffb8ac3448845f65634889b051bd65e4dee484b	Patch
5	https://git.kernel.org/stable/c/b4fcc081e527aa2ce12e956912fc47e251f6bd27	Patch
6	https://git.kernel.org/stable/c/6069da443bf65f513bb507bb21e2f87cfb1ad0b6	Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-416	解放済みメモリの使用	https://cwe.mitre.org/data/definitions/416.html

JVN Vulnerability Information

Linux の Linux Kernel における解放済みメモリの使用に関する脆弱性

Title	Linux の Linux Kernel における解放済みメモリの使用に関する脆弱性
Summary	Linux の Linux Kernel には、解放済みメモリの使用に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 21, 2022, midnight
Registration Date	Aug. 26, 2024, 4:06 p.m.
Last Update	Aug. 20, 2025, 10:06 a.m.

Affected System

Linux

Linux Kernel 4.19.316 未満

Linux Kernel 4.20 以上 5.4.262 未満

Linux Kernel 5.11 以上 5.15.26 未満

Linux Kernel 5.16 以上 5.16.12 未満

Linux Kernel 5.5 以上 5.10.198 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2022-48935	https://www.cve.org/CVERecord?id=CVE-2022-48935
National Vulnerability Database (NVD)
2	CVE-2022-48935	https://nvd.nist.gov/vuln/detail/CVE-2022-48935

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-416	https://cwe.mitre.org/data/definitions/416.html

ベンダー情報

No	Name	URL
Kernel.org git repositories
1	netfilter: nf_tables: unregister flowtable hooks on netns exit (6069da4)	https://git.kernel.org/stable/c/6069da443bf65f513bb507bb21e2f87cfb1ad0b6
2	netfilter: nf_tables: unregister flowtable hooks on netns exit (88c7954)	https://git.kernel.org/stable/c/88c795491bf45a8c08a0f94c9ca4f13722e51013
3	netfilter: nf_tables: unregister flowtable hooks on netns exit (8ffb8ac)	https://git.kernel.org/stable/c/8ffb8ac3448845f65634889b051bd65e4dee484b
4	netfilter: nf_tables: unregister flowtable hooks on netns exit (b05a24c)	https://git.kernel.org/stable/c/b05a24cc453e3cd51b0c79e3c583b5d495eba1d6
5	netfilter: nf_tables: unregister flowtable hooks on netns exit (b4fcc08)	https://git.kernel.org/stable/c/b4fcc081e527aa2ce12e956912fc47e251f6bd27
6	netfilter: nf_tables: unregister flowtable hooks on netns exit (e51f308)	https://git.kernel.org/stable/c/e51f30826bc5384801df98d76109c94953d1df64
Linux Kernel
7	Linux Kernel Archives	https://www.kernel.org

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-25-226-15	https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-15
JVN
2	JVNVU#92169998	https://jvn.jp/vu/JVNVU92169998/index.html

Change Log

No	Changed Details	Date of change
1	[2024年08月26日] 掲載	Aug. 26, 2024, 4:06 p.m.
2	[2025年08月19日] 参考情報：JVN (JVNVU#92169998) を追加参考情報：ICS-CERT ADVISORY (ICSA-25-226-15) を追加	Aug. 19, 2025, 3:53 p.m.