CVE-2022-49006: tracing: Free buffers when a used dynamic event is removed
In the Linux kernel, the following vulnerability has been resolved:
tracing: Free buffers when a used dynamic event is removed
After 65536 dynamic events have been added and removed, the "type" field
of the event then uses the first type number that is available (not
currently used by other events). A type number is the identifier of the
binary blobs in the tracing ring buffer (known as events) to map them to
logic that can parse the binary blob.
The issue is that if a dynamic event (like a kprobe event) is traced and
is in the ring buffer, and then that event is removed (because it is
dynamic, which means it can be created and destroyed), if another dynamic
event is created that has the same number that new event's logic on
parsing the binary blob will be used.
To show how this can be an issue, the following can crash the kernel:
# cd /sys/kernel/tracing
# for i in `seq 65536`; do
echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events
# done
For every iteration of the above, the writing to the kprobe_events will
remove the old event and create a new one (with the same format) and
increase the type number to the next available on until the type number
reaches over 65535 which is the max number for the 16 bit type. After it
reaches that number, the logic to allocate a new number simply looks for
the next available number. When an dynamic event is removed, that number
is then available to be reused by the next dynamic event created. That is,
once the above reaches the max number, the number assigned to the event in
that loop will remain the same.
Now that means deleting one dynamic event and created another will reuse
the previous events type number. This is where bad things can happen.
After the above loop finishes, the kprobes/foo event which reads the
do_sys_openat2 function call's first parameter as an integer.
# echo 1 > kprobes/foo/enable
# cat /etc/passwd > /dev/null
# cat trace
cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
# echo 0 > kprobes/foo/enable
Now if we delete the kprobe and create a new one that reads a string:
# echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events
And now we can the trace:
# cat trace
sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������"
cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������"
cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������"
cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="���������������������������������������
---truncated---
Security readout for executives and security teams
Plain-English summary
CVE-2022-49006 is a Linux kernel tracing flaw. Reusing identifiers for removed dynamic events can make old trace-buffer data be parsed with the wrong event format, potentially crashing the kernel. This is most relevant where dynamic tracing such as kprobes is enabled and accessible.
Executive priority
Treat as a planned kernel maintenance item, with higher priority for shared hosts, observability platforms, and environments granting tracing access. There is no sourced evidence of active exploitation, but a kernel crash can affect availability.
Technical view
The issue involves Linux kernel dynamic tracing events. After many add/remove cycles, a 16-bit event type identifier can be reused while older records remain in the ring buffer. A new event parser may interpret stale records incorrectly. The kernel fix frees buffers when a used dynamic event is removed.
Likely exposure
Linux systems running affected kernel versions with dynamic tracing facilities, especially kprobe events, exposed to administrators or delegated users. The CVE record lists Linux kernels including 2.6.33, 5.4.226, 5.10.158, 5.15.82, 6.0.12, and 6.1 as affected.
Exploitation context
The public description demonstrates local interaction with tracing controls causing a kernel crash. The provided sources do not show remote exploitation, privilege escalation, or active exploitation. CISA KEV status is false in the source bundle.
Researcher notes
Evidence comes from the CVE description and upstream stable commits. No CVSS, CWE, or vendor-specific package fix matrix is provided in the bundle. Access requirements are not explicitly stated, so validate local tracing permissions before rating internal exposure.
Mitigation direction
Update to a Linux kernel or distribution package containing the referenced stable fixes.
Check your Linux vendor advisory for the exact fixed package for your distribution.
Restrict access to kernel tracing interfaces to trusted administrators only.
Review delegated debugging, observability, or container configurations that expose tracing controls.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and container hosts.
Confirm whether dynamic tracing or kprobe event interfaces are enabled and accessible.
Check distro changelogs for CVE-2022-49006 or the referenced upstream commits.
Verify tracing interfaces are not exposed to untrusted users or workloads.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49006 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.