CVE-2022-48935: netfilter: nf_tables: unregister flowtable hooks on netns exit
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: unregister flowtable hooks on netns exit
Unregister flowtable hooks before they are releases via
nf_tables_flowtable_destroy() otherwise hook core reports UAF.
BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666
CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
__dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106
print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
__kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450
kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450
nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
__nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429
nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571
nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232
nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430
nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652
nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652
__nft_release_hook() calls nft_unregister_flowtable_net_hooks() which
only unregisters the hooks, then after RCU grace period, it is
guaranteed that no packets add new entries to the flowtable (no flow
offload rules and flowtable hooks are reachable from packet path), so it
is safe to call nf_flow_table_free() which cleans up the remaining
entries from the flowtable (both software and hardware) and it unbinds
the flow_block.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel memory-safety bug in netfilter nf_tables flowtable cleanup. During network namespace exit, flowtable hooks could be released before being unregistered, creating a use-after-free condition detected by KASAN. The sources do not provide CVSS, confirmed impact, or evidence of real-world exploitation.
Executive priority
Treat this as a kernel patch-management item rather than a confirmed emergency. Prioritize internet-facing, multi-tenant, or untrusted-workload Linux systems once vendor updates are available. Escalate if your vendor assigns higher severity or confirms exploitability.
Technical view
The fix unregisters nf_tables flowtable hooks before nf_tables_flowtable_destroy releases them. The reported path shows nf_hook_entries_grow reading freed memory during hook registration after namespace teardown. The remediation logic relies on unregistering hooks, waiting for RCU grace period, then freeing flowtable state.
Likely exposure
Exposure is limited to Linux systems running affected kernel builds with nf_tables flowtable functionality present. The bundle identifies Linux kernel involvement and stable fix commits, but does not name distributions, appliance products, or cloud images.
Exploitation context
No active exploitation is cited, and KEV is false. The public record shows a syzkaller/KASAN discovery context, not an operational exploit. Required privileges, attack path, and practical impact are not established in the provided sources.
Researcher notes
The source evidence supports a use-after-free in nf_tables flowtable hook lifecycle on netns exit. It does not establish exploitability, privilege requirements, or attacker reachability. Analysis should focus on kernel provenance, backported fixes, and whether nftables flowtables are reachable in the local environment.
Mitigation direction
Check whether deployed kernels include the listed stable fix commits.
Prioritize vendor kernel updates from your Linux distribution or appliance vendor.
If updates are unavailable, review vendor guidance for nf_tables or flowtable mitigations.
Track kernel versions across hosts, containers, and network appliances using Linux kernels.
Validation and detection
Inventory kernel versions on exposed Linux fleets and appliances.
Confirm installed kernel packages include the referenced stable commits.
Review vendor advisories for CVE-2022-48935 applicability to shipped kernels.
Check whether nf_tables flowtable features are enabled or used.
Document any unsupported kernels requiring replacement or isolation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48935 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.