LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48935: netfilter: nf_tables: unregister flowtable hooks on netns exit

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel memory-safety bug in netfilter nf_tables flowtable cleanup. During network namespace exit, flowtable hooks could be released before being unregistered, creating a use-after-free condition detected by KASAN. The sources do not provide CVSS, confirmed impact, or evidence of real-world exploitation.

Executive priority

Treat this as a kernel patch-management item rather than a confirmed emergency. Prioritize internet-facing, multi-tenant, or untrusted-workload Linux systems once vendor updates are available. Escalate if your vendor assigns higher severity or confirms exploitability.

Technical view

The fix unregisters nf_tables flowtable hooks before nf_tables_flowtable_destroy releases them. The reported path shows nf_hook_entries_grow reading freed memory during hook registration after namespace teardown. The remediation logic relies on unregistering hooks, waiting for RCU grace period, then freeing flowtable state.

Likely exposure

Exposure is limited to Linux systems running affected kernel builds with nf_tables flowtable functionality present. The bundle identifies Linux kernel involvement and stable fix commits, but does not name distributions, appliance products, or cloud images.

Exploitation context

No active exploitation is cited, and KEV is false. The public record shows a syzkaller/KASAN discovery context, not an operational exploit. Required privileges, attack path, and practical impact are not established in the provided sources.

Researcher notes

The source evidence supports a use-after-free in nf_tables flowtable hook lifecycle on netns exit. It does not establish exploitability, privilege requirements, or attacker reachability. Analysis should focus on kernel provenance, backported fixes, and whether nftables flowtables are reachable in the local environment.

Mitigation direction

  • Check whether deployed kernels include the listed stable fix commits.
  • Prioritize vendor kernel updates from your Linux distribution or appliance vendor.
  • If updates are unavailable, review vendor guidance for nf_tables or flowtable mitigations.
  • Track kernel versions across hosts, containers, and network appliances using Linux kernels.

Validation and detection

  • Inventory kernel versions on exposed Linux fleets and appliances.
  • Confirm installed kernel packages include the referenced stable commits.
  • Review vendor advisories for CVE-2022-48935 applicability to shipped kernels.
  • Check whether nf_tables flowtable features are enabled or used.
  • Document any unsupported kernels requiring replacement or isolation.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48935 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxff4bf2f42a40e7dff28379f085b64df322c70b45, ff4bf2f42a40e7dff28379f085b64df322c70b45, ff4bf2f42a40e7dff28379f085b64df322c70b45, ff4bf2f42a40e7dff28379f085b64df322c70b45unaffected
LinuxLinux5.5, 0, 5.10.198, 5.15.26, 5.16.12, 5.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.