FKIE_CVE-2022-49197

Vulnerability from fkie_nvd - Published: 2025-02-26 07:00 - Updated: 2025-09-23 13:46
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: af_netlink: Fix shift out of bounds in group mask calculation When a netlink message is received, netlink_recvmsg() fills in the address of the sender. One of the fields is the 32-bit bitfield nl_groups, which carries the multicast group on which the message was received. The least significant bit corresponds to group 1, and therefore the highest group that the field can represent is 32. Above that, the UB sanitizer flags the out-of-bounds shift attempts. Which bits end up being set in such case is implementation defined, but it's either going to be a wrong non-zero value, or zero, which is at least not misleading. Make the latter choice deterministic by always setting to 0 for higher-numbered multicast groups. To get information about membership in groups >= 32, userspace is expected to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO socket option. [0] https://lwn.net/Articles/147608/ The way to trigger this issue is e.g. through monitoring the BRVLAN group: # bridge monitor vlan & # ip link add name br type bridge Which produces the following citation: UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19 shift exponent 32 is too large for 32-bit type 'int'
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0caf6d9922192dd1afa8dc2131abfb4df1443b9fPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/41249fff507387c3323b198d0052faed08b14de4Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7409ff6393a67ff9838d0ae1bd102fb5f020d07aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ac5883a8890a11c00b32a19949a25d4afeaa2f5aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b0898362188e05b2202656058cc32d98fabf3bacPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e1c5d46f05aa23d740daae5cd3a6472145afac42Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e23e1e981247feb3c7d0236fe58aceb685f234aePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e8aaf3134bc5e943048eefe9f2ddaabf41d92b1aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f75f4abeec4c04b600a15b50c89a481f1e7435eePatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD9EA9FB-C22D-4932-A7E3-8BA9A38C8F20",
              "versionEndExcluding": "4.9.311",
              "versionStartIncluding": "2.6.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D9B028C-6313-47F9-94B7-5F8122345E49",
              "versionEndExcluding": "4.14.276",
              "versionStartIncluding": "4.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA28527A-11D3-41D2-9C4C-ECAC0D6A4A2D",
              "versionEndExcluding": "4.19.238",
              "versionStartIncluding": "4.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8CB6E8F5-C2B1-46F3-A807-0F6104AC340F",
              "versionEndExcluding": "5.4.189",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "91D3BFD0-D3F3-4018-957C-96CCBF357D79",
              "versionEndExcluding": "5.10.110",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "27C42AE8-B387-43E2-938A-E1C8B40BE6D5",
              "versionEndExcluding": "5.15.33",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B",
              "versionEndExcluding": "5.16.19",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF",
              "versionEndExcluding": "5.17.2",
              "versionStartIncluding": "5.17",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_netlink: Fix shift out of bounds in group mask calculation\n\nWhen a netlink message is received, netlink_recvmsg() fills in the address\nof the sender. One of the fields is the 32-bit bitfield nl_groups, which\ncarries the multicast group on which the message was received. The least\nsignificant bit corresponds to group 1, and therefore the highest group\nthat the field can represent is 32. Above that, the UB sanitizer flags the\nout-of-bounds shift attempts.\n\nWhich bits end up being set in such case is implementation defined, but\nit\u0027s either going to be a wrong non-zero value, or zero, which is at least\nnot misleading. Make the latter choice deterministic by always setting to 0\nfor higher-numbered multicast groups.\n\nTo get information about membership in groups \u003e= 32, userspace is expected\nto use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO\nsocket option.\n[0] https://lwn.net/Articles/147608/\n\nThe way to trigger this issue is e.g. through monitoring the BRVLAN group:\n\n\t# bridge monitor vlan \u0026\n\t# ip link add name br type bridge\n\nWhich produces the following citation:\n\n\tUBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19\n\tshift exponent 32 is too large for 32-bit type \u0027int\u0027"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: af_netlink: Se corrige el cambio fuera de los l\u00edmites en el c\u00e1lculo de la m\u00e1scara de grupo Cuando se recibe un mensaje netlink, netlink_recvmsg() completa la direcci\u00f3n del remitente. Uno de los campos es el campo de bits de 32 bits nl_groups, que lleva el grupo de multidifusi\u00f3n en el que se recibi\u00f3 el mensaje. El bit menos significativo corresponde al grupo 1 y, por lo tanto, el grupo m\u00e1s alto que el campo puede representar es 32. Por encima de eso, el depurador de UB marca los intentos de cambio fuera de los l\u00edmites. Los bits que terminan siendo establecidos en tal caso est\u00e1n definidos por la implementaci\u00f3n, pero ser\u00e1 un valor incorrecto distinto de cero o cero, lo que al menos no es enga\u00f1oso. Haga que la \u00faltima opci\u00f3n sea determinista estableciendo siempre en 0 para los grupos de multidifusi\u00f3n de n\u00famero superior. Para obtener informaci\u00f3n sobre la membres\u00eda en grupos \u0026gt;= 32, se espera que el espacio de usuario use los mensajes de control nl_pktinfo[0], que se habilitan mediante la opci\u00f3n de socket NETLINK_PKTINFO. [0] https://lwn.net/Articles/147608/ La forma de desencadenar este problema es, por ejemplo, a trav\u00e9s del monitoreo del grupo BRVLAN: # bridge monitor vlan \u0026amp; # ip link add name br type bridge Lo que produce la siguiente cita: UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19 shift exponent 32 is too large for 32-bit type \u0027int\u0027"
    }
  ],
  "id": "CVE-2022-49197",
  "lastModified": "2025-09-23T13:46:39.267",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-26T07:00:56.770",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0caf6d9922192dd1afa8dc2131abfb4df1443b9f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/41249fff507387c3323b198d0052faed08b14de4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7409ff6393a67ff9838d0ae1bd102fb5f020d07a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ac5883a8890a11c00b32a19949a25d4afeaa2f5a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b0898362188e05b2202656058cc32d98fabf3bac"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e1c5d46f05aa23d740daae5cd3a6472145afac42"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e23e1e981247feb3c7d0236fe58aceb685f234ae"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e8aaf3134bc5e943048eefe9f2ddaabf41d92b1a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f75f4abeec4c04b600a15b50c89a481f1e7435ee"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-190"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.